GHSA-j65f-mvgw-prp2

Source

https://github.com/advisories/GHSA-j65f-mvgw-prp2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j65f-mvgw-prp2/GHSA-j65f-mvgw-prp2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j65f-mvgw-prp2

Aliases

CVE-2013-1768

Published

2022-05-14T03:30:19Z

Modified

2024-12-04T05:41:29.524485Z

Summary

Deserialization of Untrusted Data in Apache OpenJPA

Details

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

Database specific

{
    "nvd_published_at": "2013-07-11T22:55:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T19:03:11Z"
}

References

Affected packages

Maven / org.apache.openjpa:openjpa

Package

Name: org.apache.openjpa:openjpa; View open source insights on deps.dev
Purl: pkg:maven/org.apache.openjpa/openjpa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.2.3

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.0.orig

1.2.0

1.2.1

1.2.2

Maven / org.apache.openjpa:openjpa

Package

Name: org.apache.openjpa:openjpa; View open source insights on deps.dev
Purl: pkg:maven/org.apache.openjpa/openjpa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.2.2

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1