CVE-2023-26512: Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data
First published: Sat Jul 15 2023(Updated: )
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, the new version is set to be released as soon as possible.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.eventmesh:eventmesh-connector-rabbitmq | >=1.7.0<=1.8.0 | |
| Apache EventMesh | >=1.7.0<=1.8.0 | |
| Apple macOS | ||
| Linux Kernel | ||
| Microsoft Windows | ||
| All of | ||
| Any of | ||
| Apple macOS | ||
| Linux Kernel | ||
| Microsoft Windows | ||
| Apache EventMesh | >=1.7.0<=1.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-26512?
CVE-2023-26512 is a vulnerability in the Apache EventMesh RabbitMQ-Connector plugin that allows remote code execution through deserialization of untrusted data.
What is the severity of CVE-2023-26512?
CVE-2023-26512 has a severity rating of 9.8 (Critical).
Which software versions are affected by CVE-2023-26512?
CVE-2023-26512 affects Apache EventMesh (incubating) V1.7.0 to V1.8.0 on Windows, Linux, and Mac OS platforms.
How can attackers exploit CVE-2023-26512?
Attackers can exploit CVE-2023-26512 by sending controlled messages via rabbitmq messages to execute remote code.
Are there any references for CVE-2023-26512?
Yes, here are some references for CVE-2023-26512: [Reference 1](https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p), [Reference 2](https://nvd.nist.gov/vuln/detail/CVE-2023-26512), [Reference 3](https://github.com/advisories/GHSA-fj8f-56wc-q36r).
- collector/oss-sec
- alias/CVE-2023-26512
- collector/nvd-latest
- collector/github-advisory-latest
- alias/GHSA-fj8f-56wc-q36r
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- package-manager/maven
- vendor/apache
- canonical/apache eventmesh
- version/apache eventmesh/1.7.0
- version/apache eventmesh/1.8.0
- vendor/apple
- canonical/apple macos
- vendor/linux
- canonical/linux kernel
- vendor/microsoft
- canonical/microsoft windows