Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN407
_____________________________________________________________________

DATE                : 30/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache EventMesh Runtime version
                                  prior to 1.12.0.

=====================================================================
https://lists.apache.org/thread/sym881qnd394cqcyz34ymdyq7cpbbdws
_____________________________________________________________________

CVE-2024-39954: Apache EventMesh Runtime: SSRF
Severity: low 

Affected versions:

- Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime)
1.6.0 through 1.11.0

Description:

CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module
in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker
can abuse functionality on the server to read or update internal
resources.

Users are recommended to upgrade to version 1.12.0 or use the master
branch , which fixes this issue.


Credit:

Mak1r 808 <80...@gmail.com> (reporter)


References:

https://eventmesh.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-39954




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================