Apache Helix security advisories

Security information for Apache Helix

Reporting

Do you want disclose a potential security issue for Apache Helix? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Helix front hard-coded secret in the express-session

CVE-2024-22281 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-20T22:11:36.792Z

Affected

  • Apache Helix Front (UI) through *

Description

** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.

This issue affects Apache Helix Front (UI): all versions.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

Credits

  • Jonathan Leitschuh (finder)

Deserialization vulnerability in Helix workflow and REST

CVE-2023-38647 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-26T07:52:23.420Z

Affected

  • Apache Helix through 1.2.0

Description

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the versions lower and include 1.2.0.

Affected products: helix-core, helix-rest

Mitigation: Short term, stop using any YAML based configuration and workflow creation.
                  Long term, all Helix version bumping up to 1.3.0 

References

Credits

  • Qing Xu (reporter)

Open redirect

CVE-2022-47500 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-19T09:23:48.197Z

Affected

  • Apache Helix from 0.8.0 through 1.0.4

Description

URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Apache Software Foundation Apache Helix UI component.

This issue affects Apache Helix all releases from 0.8.0 to 1.0.4.

Solution: removed the the forward component since it was improper designed for UI embedding.

 User please upgrade to 1.1.0 to fix this issue.

References

Credits

  • This issue was discovered by Everardo Padilla Saca (reporter)