CVE-2023-7148

Name of the Vulnerable Software and Affected Versions ShifuML shifu version 0.12.0

Description A critical vulnerability has been found in the Java Expression Language Handler component, specifically in the file src/main/java/ml/shifu/shifu/core/DataPurifier.java. The manipulation of the FilterExpression argument leads to code injection. The attack can be launched remotely, with a rather high complexity and difficult exploitation. The exploit has been disclosed to the public and may be used.

Recommendations For ShifuML shifu version 0.12.0, as a temporary workaround, consider restricting access to the DataPurifier.java file and the Java Expression Language Handler component to minimize the risk of exploitation. Avoid using the FilterExpression argument in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.