GHSA-jhcr-hph9-g7wm

Suggest an improvement
Source
https://github.com/advisories/GHSA-jhcr-hph9-g7wm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-jhcr-hph9-g7wm/GHSA-jhcr-hph9-g7wm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jhcr-hph9-g7wm
Aliases
  • CVE-2023-38647
Related
Published
2023-07-26T09:30:15Z
Modified
2024-02-16T08:15:01.121083Z
Summary
Deserialization vulnerability in Helix workflow and REST
Details

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the versions lower and include 1.2.0.

Affected products: helix-core, helix-rest

Mitigation: Short term, stop using any YAML based configuration and workflow creation.                   Long term, all Helix version bumping up to 1.3.0 

References

Affected packages

Maven / org.apache.helix:helix-core

Package

Name
org.apache.helix:helix-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.helix/helix-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.0

Affected versions

0.*

0.6.0-incubating
0.6.1-incubating
0.6.2-incubating
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0-incubating
0.7.1
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.0.1
0.9.1
0.9.4
0.9.7
0.9.8
0.9.9
0.9.10

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.2.0

Maven / org.apache.helix:helix-rest

Package

Name
org.apache.helix:helix-rest
View open source insights on deps.dev
Purl
pkg:maven/org.apache.helix/helix-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.0

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.0.1
0.9.1
0.9.4
0.9.7
0.9.8
0.9.9
0.9.10

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.2.0