5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-7148

GHSA ID

GHSA-5fpq-3c9p-3r3w

EPSS Score

0.31362%

CWE

CWE-94

Published

12/29/2023

Updated

1/2/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-7148

CVE-2023-7148: ShifuML shifu code injection vulnerability

A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the component Java Expression Language Handler. The manipulation of the argument FilterExpression leads to code injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249151.

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-7148

GHSA ID

GHSA-5fpq-3c9p-3r3w

EPSS Score

0.31362%

CWE

CWE-94

Published

12/29/2023

Updated

1/2/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ml.shifu:shifu	maven	<= 0.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe JEXL expression evaluation:

The DataPurifier constructor takes user-controlled FilterExpression and creates a JEXL Expression without restrictions
JexlEngine is initialized without security controls or class whitelisting
isFilter methods evaluate the expression using a context populated with user data
The combination allows attackers to craft expressions that execute arbitrary Java code through JEXL's reflection capabilities
This matches the CWE-94 pattern of code injection via uncontrolled expression evaluation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in S*i*uML s*i*u *.**.* *n* *l*ssi*i** *s *riti**l. *****t** *y t*is vuln*r**ility is *n unknown *un*tion*lity o* t** *il* sr*/m*in/j*v*/ml/s*i*u/s*i*u/*or*/**t*Puri*i*r.j*v* o* t** *ompon*nt J*v* *xpr*ssion L*n*u*** **

Reasoning

T** vuln*r**ility st*ms *rom uns*** J*XL *xpr*ssion *v*lu*tion: *. T** **t*Puri*i*r *onstru*tor t*k*s us*r-*ontroll** *ilt*r*xpr*ssion *n* *r**t*s * J*XL *xpr*ssion wit*out r*stri*tions *. J*xl*n*in* is initi*liz** wit*out s**urity *ontrols or *l*ss

5

Basic Information

Concerned about an active attack path?

CVE-2023-7148: ShifuML shifu code injection vulnerability

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI