CVE-2024-39954 — MEDIUM (6.3)

Q: How severe is CVE-2024-39954?

CVE-2024-39954 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-39954?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Eventmesh.

Vulnerability Description

CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Apache	Eventmesh	< 1.12.0

Related Weaknesses (CWE)

CWE-918

References

https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkonMailing List

FAQ

What is CVE-2024-39954?

CVE-2024-39954 is a vulnerability with a CVSS score of 6.3 (MEDIUM). CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update inte...

How severe is CVE-2024-39954?

CVE-2024-39954 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-39954?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Eventmesh.