GHSA-2gh6-wc3m-g37f

Suggest an improvement
Source
https://github.com/advisories/GHSA-2gh6-wc3m-g37f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2gh6-wc3m-g37f/GHSA-2gh6-wc3m-g37f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2gh6-wc3m-g37f
Published
2024-09-17T19:29:24Z
Modified
2024-09-17T19:45:46.670195Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
hermes-management is vulnerable to RCE due to Apache commons-jxpath
Details

Impact

hermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.

Patches

Upgrade Hermes to at least hermes-2.2.9

References

https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

References

Affected packages

Maven / pl.allegro.tech.hermes:hermes-management

Package

Name
pl.allegro.tech.hermes:hermes-management
View open source insights on deps.dev
Purl
pkg:maven/pl.allegro.tech.hermes/hermes-management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.9

Affected versions

0.*

0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.8.0
0.8.1
0.8.2-rc1
0.8.2-rc2
0.8.2
0.8.3
0.8.3-batch-delivery
0.8.3-hotfix1
0.8.4
0.8.5
0.8.5-hotfix1
0.8.5-hotfix2
0.8.6
0.8.6-hotfix1
0.8.6-hotfix2
0.8.6-hotfix3
0.8.6-hotfix4
0.8.6-hotfix5
0.8.7
0.8.7-hotfix1
0.8.8
0.8.9
0.8.10
0.8.10-hotfix1
0.8.10-hotfix2
0.8.11
0.8.12
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.12.10
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.14.0
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.15.10-enable-setting-idle-connection-timeout-for-jetty-client
0.16.0
0.16.1
0.16.2

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.7.0
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.6-batch-exceptions-logging
1.8.7
1.8.8
1.8.9
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5-management-restTemplate-bean-for-EventAuditor
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.9.13
1.9.14
1.9.15
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.14.0
1.14.1

2.*

2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8