{"schema_version": "1.6.1", "id": "CVE-2023-31039", "summary": "ServerOptions.pid_file may cause arbitrary code execution", "details": "Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file.\nAn attacker that can influence the ServerOptions pid_file parameter with which the bRPC server is started can execute arbitrary code with the permissions of the bRPC process.\n\nSolution:\n1. upgrade to bRPC >= 1.5.0, download link:  https://dist.apache.org/repos/dist/release/brpc/1.5.0/ https://dist.apache.org/repos/dist/release/brpc/1.5.0/ \n2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch:  https://github.com/apache/brpc/pull/2218 https://github.com/apache/brpc/pull/2218 ", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0.9.0"}, {"fixed": "1.5.0"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/jqpttrqbc38yhckgp67xk399hqxnz7jn"}]}