Description
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.
References (1)
Core 1
Core References
Mailing List vendor-advisory
https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p
Scores
CVSS v3
9.8
EPSS
0.0011
EPSS Percentile
28.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
apache/eventmesh-connector-rabbitmq
1.7.0 - 1.8.0
org.apache.eventmesh/eventmesh-connector-rabbitmq
1.7.0Maven
Published
Jul 17, 2023
Tracked Since
Feb 18, 2026