Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-C58C-W527-H77P
HistoryFeb 12, 2022 - 12:00 a.m.

Deserialization of untrusted data in Apache Cayenne

2022-02-1200:00:48
CWE-502
GitHub Advisory Database
github.com
10
apache cayenne
rop
deserialization
vulnerability
hessian
serialization
network protocol
object-based transmission
remote object persistence
java
patch
attack
payload
third-party dependency
server
arbitrary code execution
software

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.3%

JSON

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne’s optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to ‘remote’ applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Affected configurations

Vulners
Node
org.apache.cayennecayenne-serverRange<4.1.1
VendorProductVersionCPE
org.apache.cayennecayenne-server*cpe:2.3:a:org.apache.cayenne:cayenne-server:*:*:*:*:*:*:*:*

Related

osv 2
veracode 1
cvelist 1
prion 1
cnvd 1
nvd 1
cve 1
osv
osv
CVE-2022-24289
2022-02-11 13:15:08
Deserialization of untrusted data in Apache Cayenne
2022-02-12 00:00:48
veracode
veracode
Arbitrary Code Execution
2022-02-17 04:39:36
cvelist
cvelist
CVE-2022-24289 Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions
2022-02-11 12:20:15
prion
prion
Code injection
2022-02-11 13:15:00
cnvd
cnvd
Apache Cayenne Input Validation Error Vulnerability
2022-02-15 00:00:00
nvd
nvd
CVE-2022-24289
2022-02-11 13:15:08
cve
cve
CVE-2022-24289
2022-02-11 13:15:08

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.3%

JSON
Related for GHSA-C58C-W527-H77P
osv2veracode1cvelist1prion1cnvd1nvd1cve1