We use cookies to improve your experience on our site.
AVID-2026-R1220
Description
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data (CVE-2023-26512)
Details
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and
remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.
Reason for inclusion in AVID: The CVE describes a remote code execution vulnerability in the Apache EventMesh RabbitMQ-Connector plugin via deserialization of untrusted data. This plugin is a software component that can be part of AI deployment/data pipelines (messaging/ingestion) and thus relates to AI software supply chains. The issue affects a component used to build/run AI systems, involves a security vulnerability, and the report provides explicit details (CVE, CWE-502, affected versions, remediation status). Therefore it satisfies all criteria for AVID curation.
References
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache EventMesh (incubating) RabbitMQ connector |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502 Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-07-17
- Version: 0.3.3
- AVID Entry