Search criteria
4 vulnerabilities found for eventmesh by apache
CVE-2024-39954 (GCVE-0-2024-39954)
Vulnerability from nvd – Published: 2025-08-20 08:56 – Updated: 2025-08-20 13:20
VLAI?
Title
Apache EventMesh Runtime: SSRF
Summary
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache EventMesh Runtime |
Affected:
1.6.0 , ≤ 1.11.0
(semver)
|
Credits
Mak1r 808 <808mak1r@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:19:23.904981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:20:27.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-runtime",
"product": "Apache EventMesh Runtime",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mak1r 808 \u003c808mak1r@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in \u003cspan style=\"background-color: rgba(0, 0, 0, 0.06);\"\u003eWebhookUtil.java\u003c/span\u003e on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\u003cbr\u003eUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\nUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T08:56:41.560Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh Runtime: SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-39954",
"datePublished": "2025-08-20T08:56:41.560Z",
"dateReserved": "2024-07-05T03:29:51.640Z",
"dateUpdated": "2025-08-20T13:20:27.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56180 (GCVE-0-2024-56180)
Vulnerability from nvd – Published: 2025-02-14 13:34 – Updated: 2025-02-18 15:10
VLAI?
Title
Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
Summary
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache EventMesh |
Affected:
1.10.1 , < 1.11.0
(semver)
|
Credits
yulate
Au5t1n
h3h3qaq
X1r0z
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-14T17:02:37.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:09:26.643766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:10:16.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-meta-raft",
"product": "Apache EventMesh",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yulate"
},
{
"lang": "en",
"type": "reporter",
"value": "Au5t1n"
},
{
"lang": "en",
"type": "reporter",
"value": "h3h3qaq"
},
{
"lang": "en",
"type": "reporter",
"value": "X1r0z"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:27:57.229Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-56180",
"datePublished": "2025-02-14T13:34:26.600Z",
"dateReserved": "2024-12-18T07:46:43.781Z",
"dateUpdated": "2025-02-18T15:10:16.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39954 (GCVE-0-2024-39954)
Vulnerability from cvelistv5 – Published: 2025-08-20 08:56 – Updated: 2025-08-20 13:20
VLAI?
Title
Apache EventMesh Runtime: SSRF
Summary
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache EventMesh Runtime |
Affected:
1.6.0 , ≤ 1.11.0
(semver)
|
Credits
Mak1r 808 <808mak1r@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:19:23.904981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:20:27.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-runtime",
"product": "Apache EventMesh Runtime",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mak1r 808 \u003c808mak1r@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in \u003cspan style=\"background-color: rgba(0, 0, 0, 0.06);\"\u003eWebhookUtil.java\u003c/span\u003e on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\u003cbr\u003eUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\nUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T08:56:41.560Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh Runtime: SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-39954",
"datePublished": "2025-08-20T08:56:41.560Z",
"dateReserved": "2024-07-05T03:29:51.640Z",
"dateUpdated": "2025-08-20T13:20:27.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56180 (GCVE-0-2024-56180)
Vulnerability from cvelistv5 – Published: 2025-02-14 13:34 – Updated: 2025-02-18 15:10
VLAI?
Title
Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
Summary
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache EventMesh |
Affected:
1.10.1 , < 1.11.0
(semver)
|
Credits
yulate
Au5t1n
h3h3qaq
X1r0z
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-14T17:02:37.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:09:26.643766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:10:16.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-meta-raft",
"product": "Apache EventMesh",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yulate"
},
{
"lang": "en",
"type": "reporter",
"value": "Au5t1n"
},
{
"lang": "en",
"type": "reporter",
"value": "h3h3qaq"
},
{
"lang": "en",
"type": "reporter",
"value": "X1r0z"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:27:57.229Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-56180",
"datePublished": "2025-02-14T13:34:26.600Z",
"dateReserved": "2024-12-18T07:46:43.781Z",
"dateUpdated": "2025-02-18T15:10:16.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}