CVE-2024-39954 — Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java

Description

Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch, which fixes this issue.

How to fix CVE-2024-39954

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-39954 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.6.0-release, <= 1.11.0-release

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-39954
PATCHgithub.com/apache/eventmesh
WEBlists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon