CVE-2022-46366

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

9.8CRITICAL

EPSS

3.9%

top 11.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tapestry Apache Tapestry

Timeline

PublishedDec 2

Description

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/tapestry3.0.0 — 4.0.0

▶Mavenorg.apache.tapestry:tapestry-core3.0 — 5.0.1

▶CVEListV5apache_software_foundation/apache_tapestryApache Tapestry — 4.0.0

🔴Vulnerability Details

CVEList

Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input↗2022-12-02

▶

GHSA

Apache Tapestry allows deserialization of untrusted data↗2022-12-02

▶

OSV

Apache Tapestry allows deserialization of untrusted data↗2022-12-02

▶

📋Vendor Advisories

Red Hat

Tapestry: prior to version 4 (EOL) allows RCE though deserialization of untrusted input↗2022-12-02

▶