8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28754

GHSA ID

GHSA-3cxh-xp3g-jxjm

EPSS Score

0.46269%

CWE

CWE-502

Published

7/19/2023

Updated

11/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28754

CVE-2023-28754: Apache ShardingSphere-Agent Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file.

The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. When the ShardingSphere JVM process starts and uses the ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the deserialization of the YAML configuration file by the Agent.

This issue affects ShardingSphere-Agent: through 5.3.2. This vulnerability is fixed in Apache ShardingSphere 5.4.0.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28754

GHSA ID

GHSA-3cxh-xp3g-jxjm

EPSS Score

0.46269%

CWE

CWE-502

Published

7/19/2023

Updated

11/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.shardingsphere:shardingsphere	maven	<= 5.3.2	5.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe YAML deserialization using SnakeYAML. The advisory explicitly mentions exploitation via deserializing java.net.URLClassLoader and javax.script.ScriptEngineManager, which implies the configuration loader uses generic deserialization (Yaml.load()) rather than type-restricted parsing. The AgentConfigurationLoader class is the logical component handling YAML configuration parsing in ShardingSphere-Agent, and versions ≤5.3.2 would lack the safe deserialization fixes implemented in 5.4.0. The confidence is high because the attack vector directly maps to YAML deserialization entry points in the agent's configuration loading mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ri*liz*tion o* Untrust** **t* vuln*r**ility in *p**** S**r*in*Sp**r*-***nt, w*i** *llows *tt**k*rs to *x**ut* *r*itr*ry *o** *y *onstru*tin* * sp**i*l Y*ML *on*i*ur*tion *il*. T** *tt**k*r n***s to **v* p*rmission to mo*i*y t** S**r*in*Sp**r* **

Reasoning

T** vuln*r**ility st*ms *rom uns*** Y*ML **s*ri*liz*tion usin* Sn*k*Y*ML. T** **visory *xpli*itly m*ntions *xploit*tion vi* **s*ri*lizin* j*v*.n*t.URL*l*ssLo***r *n* j*v*x.s*ript.S*ript*n*in*M*n***r, w*i** impli*s t** *on*i*ur*tion lo***r us*s **n*ri

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-28754: Apache ShardingSphere-Agent Deserialization of Untrusted Data vulnerability

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI