9.8
CVE-2023-5016
- EPSS 0.89%
- Veröffentlicht 17.09.2023 02:15:08
- Zuletzt bearbeitet 21.11.2024 08:40:53
- Quelle cna@vuldb.com
- CVE-Watchlists
- Unerledigt
Loginspider-flow API DataSourceController.java DriverManager.getConnection deserialization
A vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239857 was assigned to this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ssssssss ≫ Spider-flow Version <= 0.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.89% | 0.547 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cna@vuldb.com | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
| cna@vuldb.com | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://github.com/bayuncao/vul-cve
https://github.com/bayuncao/vul-cve/blob/main/spider-flow%20fastjson%20jdbc%20deserialization
https://vuldb.com/?ctiid.239857
https://vuldb.com/?id.239857