Vulnerability DatabaseCVE-2023-45146
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-45146
October 18, 2023
XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.
Related Resources (6)
https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC
https://www.vicarius.io/vsociety/posts/xxl-rpc-rce-cve-2023-45146
https://github.com/xuxueli/xxl-rpc
https://nvd.nist.gov/vuln/detail/CVE-2023-45146
https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/
https://github.com/xuxueli/xxl-rpc/blob/eeaa1bd7fc8f2249de13f971dda4f6689d66f318/xxl-rpc-core/src/main/java/com/xxl/rpc/core/serialize/impl/HessianSerializer.java#L45
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502
EPSS
Base Score:
3.12