What is CVE-2023-38647?

CVE-2023-38647 is a vulnerability in Apache Helix that allows remote code execution through unbounded deserialization.

How severe is the CVE-2023-38647 vulnerability?

The severity of the CVE-2023-38647 vulnerability is critical with a CVSS score of 9.8.

Which software versions are affected by CVE-2023-38647?

The versions affected by CVE-2023-38647 are Apache Helix 1.3.0 and earlier.

How can I fix the CVE-2023-38647 vulnerability?

To fix the CVE-2023-38647 vulnerability, update Apache Helix to version 1.3.0 or later.

Where can I find more information about CVE-2023-38647?

You can find more information about CVE-2023-38647 in the Apache Helix mailing list, NVD, and GitHub commit references.

Vulnerability/
CVE-2023-38647

critical

9.8

CWE

502

25/7/2023

26/7/2023

2/10/2024

CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and REST

First published: Tue Jul 25 2023(Updated: )

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation. Affect all the versions lower and include 1.2.0. Affected products: helix-core, helix-rest Mitigation: Short term, stop using any YAML based configuration and workflow creation. Long term, all Helix version bumping up to 1.3.0

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Helix	<1.3.0
maven/org.apache.helix:helix-rest	<1.3.0	1.3.0
maven/org.apache.helix:helix-core	<1.3.0	1.3.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-38647?
CVE-2023-38647 is a vulnerability in Apache Helix that allows remote code execution through unbounded deserialization.
How severe is the CVE-2023-38647 vulnerability?
The severity of the CVE-2023-38647 vulnerability is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2023-38647?
The versions affected by CVE-2023-38647 are Apache Helix 1.3.0 and earlier.
How can I fix the CVE-2023-38647 vulnerability?
To fix the CVE-2023-38647 vulnerability, update Apache Helix to version 1.3.0 or later.
Where can I find more information about CVE-2023-38647?
You can find more information about CVE-2023-38647 in the Apache Helix mailing list, NVD, and GitHub commit references.

collector/oss-sec
alias/CVE-2023-38647
collector/nvd-index
agent/softwarecombine
agent/first-publish-date
agent/type
collector/nvd-latest
agent/software-canonical-lookup-request
agent/title
agent/references
agent/weakness
agent/severity
agent/description
agent/event
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-jhcr-hph9-g7wm
agent/last-modified-date
collector/nvd-cve
agent/author
agent/tags
collector/github-advisory
vendor/apache
canonical/apache helix
package-manager/maven

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.