Apache Helix security advisories
Security information for Apache Helix
Reporting
Do you want disclose a potential security issue for Apache Helix? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Helix front hard-coded secret in the express-session
CVE-2024-22281 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-20T22:11:36.792Z
Affected
- Apache Helix Front (UI) through *
Description
** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.
This issue affects Apache Helix Front (UI): all versions.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
Credits
- Jonathan Leitschuh (finder)
Deserialization vulnerability in Helix workflow and REST
CVE-2023-38647 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-26T07:52:23.420Z
Affected
- Apache Helix through 1.2.0
Description
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.
Affect all the versions lower and include 1.2.0.
Affected products: helix-core, helix-rest
Mitigation: Short term, stop using any YAML based configuration and workflow creation.
Long term, all Helix version bumping up to 1.3.0
References
Credits
- Qing Xu (reporter)
Open redirect
CVE-2022-47500 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-19T09:23:48.197Z
Affected
- Apache Helix from 0.8.0 through 1.0.4
Description
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Apache Software Foundation Apache Helix UI component.
This issue affects Apache Helix all releases from 0.8.0 to 1.0.4.
Solution: removed the the forward component since it was improper designed for UI embedding.User please upgrade to 1.1.0 to fix this issue.
References
Credits
- This issue was discovered by Everardo Padilla Saca (reporter)