CVE-2024-56180

Name of the Vulnerable Software and Affected Versions Apache EventMesh versions prior to 1.11.0

Description The issue concerns the deserialization of untrusted data at the eventmesh-meta-raft plugin module in Apache EventMesh, allowing attackers to send controlled messages and execute remote code via the Hessian deserialization RPC protocol. This affects platforms such as Windows, Linux, and Mac OS.

Recommendations For versions prior to 1.11.0, users can use the code under the master branch in the project repository or update to version 1.11.0 to fix this issue. As a temporary workaround, consider restricting access to the vulnerable eventmesh-meta-raft plugin module until a patch is available.