Headline
GHSA-vc39-x7w6-6vj7: Apache Tapestry allows deserialization of untrusted data
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line.
NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
Apache Tapestry allows deserialization of untrusted data
Critical severity GitHub Reviewed Published Dec 2, 2022 • Updated Dec 5, 2022
Package
maven org.apache.tapestry:tapestry-core (Maven)
Affected versions
>= 3.0, < 4.0
Patched versions
5.0.1
Description
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line.
NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-46366
- https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
- http://www.openwall.com/lists/oss-security/2022/12/02/1
Severity
Critical
9.8
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
CWE-502
CVE ID
CVE-2022-46366
GHSA ID
GHSA-vc39-x7w6-6vj7
Source code
No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.