{"id":"GHSA-fvx4-8h2x-gm9q","summary":"Hippo4j privilege escalation issue","details":"An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module.","aliases":["CVE-2023-27094"],"modified":"2025-02-26T22:31:56.419260Z","published":"2023-03-23T18:30:18Z","database_specific":{"nvd_published_at":"2023-03-23T17:15:00Z","github_reviewed_at":"2023-03-23T19:48:52Z","cwe_ids":["CWE-269"],"severity":"HIGH","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27094"},{"type":"WEB","url":"https://github.com/opengoofy/hippo4j/issues/1059"},{"type":"PACKAGE","url":"https://github.com/opengoofy/hippo4j"},{"type":"WEB","url":"https://github.com/opengoofy/hippo4j/blob/develop/hippo4j-server/hippo4j-console/src/main/java/cn/hippo4j/console/controller/ThreadPoolController.java"}],"affected":[{"package":{"name":"cn.hippo4j:hippo4j-all","ecosystem":"Maven","purl":"pkg:maven/cn.hippo4j/hippo4j-all"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.4.3"}]}],"versions":["0.0.1","0.9.0","1.0.0","1.0.0-RC1","1.0.0-RC2","1.0.0-RC3","1.0.0-alpha","1.0.0-alpha2","1.0.0-alpha3","1.0.0-beta","1.0.0-beta.2","1.0.0-beta.3","1.0.0-beta.4","1.0.0-beta.5","1.0.0-beta.6","1.0.0-beta.7","1.1.0","1.1.0-RC1","1.1.0-alpha","1.1.0-alpha.2","1.1.0-beta","1.1.0-beta.2","1.1.0-beta.3","1.1.0-beta.4","1.2.0","1.2.0-RC2","1.2.0-RC3","1.2.0-RC4","1.2.0-RC5","1.2.0-RC6","1.2.0-alpha","1.2.1","1.3.0","1.3.0-beta","1.3.0-beta.2","1.3.0.alpha","1.3.1","1.4.0","1.4.0-RC","1.4.0-alpha","1.4.1","1.4.2","1.4.2-alpha","1.4.2-alpha.2","1.4.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-fvx4-8h2x-gm9q/GHSA-fvx4-8h2x-gm9q.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}