GHSA-c58c-w527-h77p

Source

https://github.com/advisories/GHSA-c58c-w527-h77p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-c58c-w527-h77p/GHSA-c58c-w527-h77p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c58c-w527-h77p

Aliases

CVE-2022-24289

Published

2022-02-12T00:00:48Z

Modified

2023-11-08T04:08:30.433945Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of untrusted data in Apache Cayenne

Details

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Database specific

{
    "nvd_published_at": "2022-02-11T13:15:00Z",
    "github_reviewed_at": "2022-02-14T22:48:21Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.apache.cayenne:cayenne-server

Package

Name: org.apache.cayenne:cayenne-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cayenne/cayenne-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.1

Affected versions

3.*

3.0B1

3.0M1

3.0M2

3.0M3

3.0M4

3.0M5

3.0M6

3.0RC1

3.0RC2

3.0RC3

3.0

3.0.1

3.0.2

3.1B1

3.1B2

3.1M1

3.1M2

3.1M3

3.1RC1

3.1

3.1.1

3.1.2

3.1.3

3.2M1

4.*

4.0.B1

4.0.B2

4.0.M2

4.0.M3

4.0.M4

4.0.M5

4.0.RC1

4.0

4.0.1

4.0.2

4.0.3

4.1.B1

4.1.B2

4.1.M1

4.1.M2

4.1.RC1

4.1.RC2

4.1