Описание
Conductor vulnerable to OS command injection through unrestricted access to Java classes
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-26074
- https://github.com/conductor-oss/conductor/commit/e9816501df1e364a3d39d7fe37d6e167c40eaa1b
- https://github.com/conductor-oss/conductor/blob/main/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java
- https://medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfb
Пакеты
Наименование
org.conductoross:conductor-core
maven
Затронутые версииВерсия исправления
< 3.21.13
3.21.13
Связанные уязвимости
CVSS3: 9.8
nvd
7 месяцев назад
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.