Apache Helix vulnerabilities
2 known vulnerabilities affecting apache/helix.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2023-38647P2CRITICALCVSS 9.8fixed in 1.3.02023-07-26
CVE-2023-38647 [CRITICAL] CWE-502 CVE-2023-38647: An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a s
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.
Affect
nvd
CVE-2022-47500P4MEDIUMCVSS 6.1≥ 0.8.0, ≤ 1.0.42022-12-19
CVE-2022-47500 [MEDIUM] CWE-601 CVE-2022-47500: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apac
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4.
Solution: removed the the forward component since it was improper designed for UI embedding.
User please upgrade to 1.1.0 to fix this issue.
nvd