GHSA-vc39-x7w6-6vj7: Apache Tapestry allows deserialization of untrusted data

Apache Tapestry allows deserialization of untrusted data

Critical severity GitHub Reviewed Published Dec 2, 2022 • Updated Dec 5, 2022

Package

maven org.apache.tapestry:tapestry-core (Maven)

Affected versions

>= 3.0, < 4.0

Patched versions

5.0.1

Description

** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line.

NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-46366
• https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
• http://www.openwall.com/lists/oss-security/2022/12/02/1

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-502

CVE ID

CVE-2022-46366

GHSA ID

GHSA-vc39-x7w6-6vj7

Source code

No known source code

Checking history

See something to contribute? Suggest improvements for this vulnerability.