GHSA-2gh6-wc3m-g37f

Source

https://github.com/advisories/GHSA-2gh6-wc3m-g37f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2gh6-wc3m-g37f/GHSA-2gh6-wc3m-g37f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2gh6-wc3m-g37f

Published

2024-09-17T19:29:24Z

Modified

2024-09-17T19:45:51.476714Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

hermes-management is vulnerable to RCE due to Apache commons-jxpath

Details

Impact

hermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.

Patches

Upgrade Hermes to at least hermes-2.2.9

References

https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

References

Affected packages

Maven / pl.allegro.tech.hermes:hermes-management

Package

Name: pl.allegro.tech.hermes:hermes-management; View open source insights on deps.dev
Purl: pkg:maven/pl.allegro.tech.hermes/hermes-management

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.9

Affected versions

0.*

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.8.0

0.8.1

0.8.2-rc1

0.8.2-rc2

0.8.2

0.8.3

0.8.3-batch-delivery

0.8.3-hotfix1

0.8.4

0.8.5

0.8.5-hotfix1

0.8.5-hotfix2

0.8.6

0.8.6-hotfix1

0.8.6-hotfix2

0.8.6-hotfix3

0.8.6-hotfix4

0.8.6-hotfix5

0.8.7

0.8.7-hotfix1

0.8.8

0.8.9

0.8.10

0.8.10-hotfix1

0.8.10-hotfix2

0.8.11

0.8.12

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.14.0

0.15.0

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

0.15.7

0.15.8

0.15.9

0.15.10-enable-setting-idle-connection-timeout-for-jetty-client

0.16.0

0.16.1

0.16.2

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.7.0

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.6-batch-exceptions-logging

1.8.7

1.8.8

1.8.9

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5-management-restTemplate-bean-for-EventAuditor

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.14.0

1.14.1

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8