Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/12/02/1 | Mailing List Third Party Advisory |
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md | Third Party Advisory |
https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj | Issue Tracking Mailing List Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2022-12-02T00:00:00
Updated: 2024-06-04T17:16:08.208Z
Reserved: 2022-12-02T00:00:00
Link: CVE-2022-46366
JSON object: View
NVD Information
Status : Modified
Published: 2022-12-02T14:15:10.223
Modified: 2024-06-04T19:17:19.320
Link: CVE-2022-46366
JSON object: View
Redhat Information
No data.
CWE