CVE-2023-28754: Apache ShardingSphere-Agent Deserialization of Untrusted Data vulnerability
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46269%
CWE
Published
7/19/2023
Updated
11/7/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.shardingsphere:shardingsphere | maven | <= 5.3.2 | 5.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsafe YAML deserialization using SnakeYAML. The advisory explicitly mentions exploitation via deserializing java.net.URLClassLoader and javax.script.ScriptEngineManager, which implies the configuration loader uses generic deserialization (Yaml.load()) rather than type-restricted parsing. The AgentConfigurationLoader class is the logical component handling YAML configuration parsing in ShardingSphere-Agent, and versions ≤5.3.2 would lack the safe deserialization fixes implemented in 5.4.0. The confidence is high because the attack vector directly maps to YAML deserialization entry points in the agent's configuration loading mechanism.