Apologies, this was my oversight: I was still confirming the project had a plan for the release. The advisory is now pushed to https://www.cve.org/CVERecord?id=CVE-2024-39954
Kind regards, Arnout On 2025/08/19 12:43:00 PJ Fanning wrote: > the CVE has not been published to cve.org - it is still in READY and not > PUBLIC state in > https://cveprocess.apache.org/cve5/CVE-2024-39954 > > Can it be published to cve.org so that the announcement is more widely seen? > > On 2025/08/19 07:19:57 Eason Chen wrote: > > The issue has been fixed in the master branch, and the community plans > > to resolve it in the upcoming version 1.12 release scheduled for > > October-November. > > > > On Mon, Jun 30, 2025 at 11:09 AM Xue Weiming <[email protected]> wrote: > > > > > > Severity: low > > > > > > Affected versions: > > > > > > - Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime) 1.6.0 > > > through 1.11.0 > > > > > > Description: > > > > > > CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in > > > WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can > > > abuse functionality on the server to read or update internal resources. > > > Users are recommended to upgrade to version 1.12.0 or use the master > > > branch , which fixes this issue. > > > > > > Credit: > > > > > > Mak1r 808 <[email protected]> (reporter) > > > > > > References: > > > > > > https://eventmesh.apache.org > > > https://www.cve.org/CVERecord?id=CVE-2024-39954 > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
