CVE-2022-24289

Published: Feb 11, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Affected (1)

Products: Apache: Cayenne

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Cayenne	Before 4.2

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

http://www.openwall.com/lists/oss-security/2022/02/11/1

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2022/02/11/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.