CVE-2022-46366

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/12/02/1	Mailing List Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md	Third Party Advisory
https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj	Issue Tracking Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:55

Type	Values Removed	Values Added
Summary	UNSUPPORTED WHEN ASSIGNED Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.	Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

Information

Published : 2022-12-02 14:15

Updated : 2024-08-03 15:15

NVD link : CVE-2022-46366

Mitre link : CVE-2022-46366

CVE.ORG link : CVE-2022-46366

JSON object : View

Products Affected

apache

tapestry

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2022-46366", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "security@apache.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-12-02T14:15:10.223", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/12/02/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry."}, {"lang": "es", "value": "Apache Tapestry 3.x permite la deserializaci\u00f3n de datos que no son de confianza, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. Este problema es similar pero distinto de CVE-2020-17531, que aplica la l\u00ednea de versi\u00f3n 4.x (tampoco compatible). NOTA: Esta vulnerabilidad solo afecta a la versi\u00f3n 3.x de Apache Tapestry, que ya no es compatible con el fabricante. Se recomienda a los usuarios actualizar a una l\u00ednea de versi\u00f3n compatible de Apache Tapestry."}], "lastModified": "2024-08-03T15:15:36.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4364FAE-8835-4660-9187-EBF8DF48FCC7", "versionEndExcluding": "4.0.0", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}