What is CVE-2023-41331?

CVE-2023-41331 is a critical-severity vulnerability in Sofastack Sofa-rpc, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). CVSS score: 9.8/10. Published 2023-09-12.

How severe is CVE-2023-41331?

Critical severity. CVSS v3 base score is 9.8 out of 10.

RCE in Sofastack Sofa-rpc

CVE-2023-41331

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of…

Vulnerability class: Log4Shell (CVE-2021-44228)

EPSS: 0.040 (88.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Sofastack Sofa-rpc — versions < 5.11.0

Weakness classification (CWE)

CWE-917 — Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)

References

https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86 (x_refsource_CONFIRM)
https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-41331?: CVE-2023-41331 is a critical-severity vulnerability in Sofastack Sofa-rpc, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). CVSS score: 9.8/10. Published 2023-09-12.
How severe is CVE-2023-41331?: Critical severity. CVSS v3 base score is 9.8 out of 10.