CVSS: 9.8EPSS: 94%CPEs: 1EXPL: 5CVE-2024-0195 – spider-flow FunctionController.java FunctionService.saveFunction code injection
https://notcve.org/view.php?id=CVE-2024-0195
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Cappricio-Securities/CVE-2024-0195 https://github.com/MuhammadWaseem29/CVE-2024-0195-SpiderFlow https://github.com/fa-rrel/CVE-2024-0195-SpiderFlow https://github.com/hack-with-rohit/CVE-2024-0195-SpiderFlow https://github.com/laoquanshi/puppy/blob/main/spider-flow%20code%20injection%20causes%20rce.md https://vuldb.com/?ctiid.249510 https://vuldb.com/?id.249510 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5016 – spider-flow API DataSourceController.java DriverManager.getConnection deserialization
https://notcve.org/view.php?id=CVE-2023-5016
A vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. • https://github.com/bayuncao/vul-cve https://github.com/bayuncao/vul-cve/blob/main/spider-flow%20fastjson%20jdbc%20deserialization https://vuldb.com/?ctiid.239857 https://vuldb.com/?id.239857 • CWE-502: Deserialization of Untrusted Data •