Vulnerabilities > Apache > Shardingsphere

DATE CVE VULNERABILITY TITLE RISK
2023-07-19 CVE-2023-28754 Deserialization of Untrusted Data vulnerability in Apache Shardingsphere
Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader.
network
low complexity
apache CWE-502
8.8
2022-12-22 CVE-2022-45347 Unspecified vulnerability in Apache Shardingsphere
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client.
network
low complexity
apache
critical
9.8
2020-03-11 CVE-2020-1947 Deserialization of Untrusted Data vulnerability in Apache Shardingsphere 4.0.0
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration.
network
low complexity
apache CWE-502
critical
9.8