CVE-2022-24289

{"id": "CVE-2022-24289", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-02-11T13:15:08.237", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/02/11/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2022/02/11/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."}, {"lang": "es", "value": "Hessian serialization es un protocolo de red que soporta la transmisi\u00f3n basada en objetos. La funcionalidad opcional Remote Object Persistence (ROP) de Apache Cayenne es una tecnolog\u00eda basada en servicios web que proporciona persistencia de objetos y funcionalidad de consulta a aplicaciones \"remote\". En Apache Cayenne versiones 4.1 y anteriores, que es ejecutado en versiones de parches no actuales de Java, un atacante con acceso al cliente a Cayenne ROP puede transmitir una carga \u00fatil maliciosa a cualquier dependencia vulnerable de terceros en el servidor. Esto puede resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario"}], "lastModified": "2024-11-21T06:50:05.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cayenne:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4D5F712-3D44-4C46-8963-7CE10C4D1228", "versionEndExcluding": "4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}