CVE-2023-7148 MEDIUM

CVE-2023-7148: ShifuML shifu Java Expression Language DataPurifier.java code injection

Vendor Shifuml

Product shifu

Weakness CWE-94 · Code injection

Published December 29, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

Description

A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the component Java Expression Language Handler. The manipulation of the argument FilterExpression leads to code injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249151.

Key dates

Disclosure timeline

December 29, 2023 CVE published

August 2, 2024 Record updated