CVE-2023-36480
moderate-risk
Published 2023-08-04
The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue.
Do I need to act?
~
2.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 561b53a0cf1bb35393d0113c2016707464ca9472, 861d16892220ac0eb1cf5e201338e86da8a0642f, 17de60227f7d454a3542764d2829a0f6fdec8fe3
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Aerospike Java Client
Affected Vendors
References (26)
and 6 more references
43
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
6/34 · Minimal
Exposure
5/34 · Minimal