CVE-2021-37578

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
1.6%
top 18.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache JuddiApache Juddi
Timeline
PublishedJul 29
Latest updateAug 9

Description

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jU

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/juddi< 3.3.10
CVEListV5apache_software_foundation/apache_juddiunspecified3.3.10

🔴Vulnerability Details

3
GHSA
Deserialization of Untrusted Data in Apache jUDDI2021-08-09
OSV
Deserialization of Untrusted Data in Apache jUDDI2021-08-09
CVEList
Remote code execution via RMI2021-07-29
CVE-2021-37578 (CRITICAL CVSS 9.8) | Apache jUDDI uses several classes r | cvebase.io