CVE-2023-45146 CRITICAL

CVE-2023-45146: Remote code execution in XXL-RPC

Vendor Xuexueli

Product xxl-rpc

Weakness CWE-502 · Unsafe deserialization

Published October 18, 2023

Last update August 29, 2024

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.

Key dates

02Disclosure timeline

October 18, 2023 CVE published

August 29, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-45146 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2023-45146: Remote code execution in XXL-RPC

01Description

02Disclosure timeline

03References

04Related CVE