Deserialization Vulnerability in Apache EventMesh Plugin
CVE-2024-56180

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Eventmesh
Vendor: CVE Published:; 14 February 2025

Summary

The Apache EventMesh plugin contains a vulnerability allowing attackers to exploit the deserialization of untrusted data via the hessian RPC protocol. This flaw can be exploited on various platforms, including Windows, Linux, and macOS. An attacker can send controlled messages leading to remote code execution. Users are encouraged to update to version 1.11.0 or utilize the master branch code from the project repository to remediate this issue.

Affected Version(s)

Apache EventMesh 1.10.1 < 1.11.0

References

https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c5...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2025
Vulnerability Reserved
Dec 18, 2024

Credit

yulate

Au5t1n

h3h3qaq

X1r0z