the CVE has not been published to cve.org - it is still in READY and not PUBLIC state in https://cveprocess.apache.org/cve5/CVE-2024-39954
Can it be published to cve.org so that the announcement is more widely seen? On 2025/08/19 07:19:57 Eason Chen wrote: > The issue has been fixed in the master branch, and the community plans > to resolve it in the upcoming version 1.12 release scheduled for > October-November. > > On Mon, Jun 30, 2025 at 11:09 AM Xue Weiming <[email protected]> wrote: > > > > Severity: low > > > > Affected versions: > > > > - Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime) 1.6.0 > > through 1.11.0 > > > > Description: > > > > CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in > > WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse > > functionality on the server to read or update internal resources. > > Users are recommended to upgrade to version 1.12.0 or use the master branch > > , which fixes this issue. > > > > Credit: > > > > Mak1r 808 <[email protected]> (reporter) > > > > References: > > > > https://eventmesh.apache.org > > https://www.cve.org/CVERecord?id=CVE-2024-39954 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
