Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Helix
Total 2 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-38647 1 Apache 1 Helix 2024-11-21 N/A 9.8 CRITICAL
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation. Affect all the versions lower and include 1.2.0. Affected products: helix-core, helix-rest Mitigation: Short term, stop using any YAML based configuration and workflow creation.                   Long term, all Helix version bumping up to 1.3.0 
CVE-2022-47500 1 Apache 1 Helix 2024-11-21 N/A 6.1 MEDIUM
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI embedding.  User please upgrade to 1.1.0 to fix this issue.