org.apache.shardingsphere:shardingsphere@5.3.1 vulnerabilities

latest version

5.5.2

latest non vulnerable version

5.5.2

first published

5 years ago

latest version published

1 months ago

licenses detected

Apache-2.0
[4.0.0-RC1,)

package manager

View on Maven Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shardingsphere:shardingsphere package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to execute arbitrary code by constructing a special YAML configuration file. An attacker can use SnakeYAML to deserialize `java.net.URLClassLoader` and make it load a JAR from a specified URL, and then deserialize `javax.script.ScriptEngineManager` to load code using that ClassLoader. When the ShardingSphere JVM process starts and uses the ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the deserialization of the YAML configuration file by the Agent. Note: The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.shardingsphere:shardingsphere` to version 5.4.0 or higher.	[,5.4.0)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to execute arbitrary code by constructing a special YAML configuration file. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. When the ShardingSphere JVM process starts and uses the ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the deserialization of the YAML configuration file by the Agent.

Note:

The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.shardingsphere:shardingsphere to version 5.4.0 or higher.

[,5.4.0)

Go back to all versions of this package