GoogleOSV:GHSA-J65F-MVGW-PRP2Deserialization of Untrusted Data in Apache OpenJPA
0.042 Low
EPSS
Percentile
92.3%
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
References
rhn.redhat.com/errata/RHSA-2013-1862.html
svn.apache.org/viewvc?view=revision&revision=1462076
svn.apache.org/viewvc?view=revision&revision=1462225
svn.apache.org/viewvc?view=revision&revision=1462268
svn.apache.org/viewvc?view=revision&revision=1462318
svn.apache.org/viewvc?view=revision&revision=1462328
svn.apache.org/viewvc?view=revision&revision=1462488
svn.apache.org/viewvc?view=revision&revision=1462512
svn.apache.org/viewvc?view=revision&revision=1462558
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
exchange.xforce.ibmcloud.com/vulnerabilities/82268
github.com/apache/openjpa
github.com/apache/openjpa/commit/7f14c7df6b7c7ef42f0671138b9b5dd062fe99aa
github.com/apache/openjpa/commit/87a4452be08b4f97274d0ccfac585ae85841e470
github.com/apache/openjpa/commit/b8933dc24b84e7e7430ece56bd645d425dd89f24
nvd.nist.gov/vuln/detail/CVE-2013-1768
seclists.org/fulldisclosure/2013/Jun/98
Related
