CVE-2023-37895

CWE-502Deserialization of Untrusted Data6 documents5 sources
Severity
9.8CRITICAL
EPSS
8.4%
top 7.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache Jackrabbit Standalone (jackrabbit-standalone AND Jackrabbit-standalone-components)Apache Software Foundation Apache Jackrabbit Webapp (jackrabbit-webapp)Apache Jackrabbit
Timeline
PublishedJul 25

Description

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive update

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

Mavenorg.apache.jackrabbit:jackrabbit-webapp2.21.02.21.18+1

🔴Vulnerability Details

4
OSV
Remote code execution in Apache Jackrabbit2023-07-25
CVEList
Apache Jackrabbit RMI access can lead to RCE2023-07-25
OSV
CVE-2023-37895: Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (inc2023-07-25
GHSA
Remote code execution in Apache Jackrabbit2023-07-25

📋Vendor Advisories

1
Debian
CVE-2023-37895: jackrabbit - Java object deserialization issue in Jackrabbit webapp/standalone on all platfor...2023
CVE-2023-37895 (CRITICAL CVSS 9.8) | Java object deserialization issue i | cvebase.io