CVE-2022-46366 - OpenCVE

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Tapestry

Configuration 1 [-]

cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/12/02/1	Mailing List Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md	Third Party Advisory
https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj	Issue Tracking Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-12-02T00:00:00

Updated: 2024-06-04T17:16:08.208Z

Reserved: 2022-12-02T00:00:00

Link: CVE-2022-46366

JSON object: View

NVD Information

Status : Modified

Published: 2022-12-02T14:15:10.223

Modified: 2024-06-04T19:17:19.320

Link: CVE-2022-46366

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-46366", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-06-04T17:16:08.208Z", "dateReserved": "2022-12-02T00:00:00", "datePublished": "2022-12-02T00:00:00"}, "containers": {"cna": {"title": "Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-12-06T00:00:00"}, "descriptions": [{"lang": "en", "value": "Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry."}], "tags": ["unsupported-when-assigned"], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tapestry", "versions": [{"version": "Apache Tapestry", "status": "affected", "lessThan": "4.0.0", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj"}, {"name": "[oss-security] 20221202 CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/12/02/1"}, {"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md"}], "credits": [{"lang": "en", "value": "Apache would like to thank Ilyass El Hadi from Mandiant for reporting this issue"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-46366", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-01T14:18:53.714851Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:tapestry:-:*:*:*:*:*:*:*"], "vendor": "apache", "product": "tapestry", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:16:08.208Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4364FAE-8835-4660-9187-EBF8DF48FCC7", "versionEndExcluding": "4.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry."}, {"lang": "es", "value": "Apache Tapestry 3.x permite la deserializaci\u00f3n de datos que no son de confianza, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. Este problema es similar pero distinto de CVE-2020-17531, que aplica la l\u00ednea de versi\u00f3n 4.x (tampoco compatible). NOTA: Esta vulnerabilidad solo afecta a la versi\u00f3n 3.x de Apache Tapestry, que ya no es compatible con el fabricante. Se recomienda a los usuarios actualizar a una l\u00ednea de versi\u00f3n compatible de Apache Tapestry."}], "id": "CVE-2022-46366", "lastModified": "2024-06-04T19:17:19.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-02T14:15:10.223", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/12/02/1"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}