CVE-2023-39913

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
8.8HIGH
EPSS
0.4%
top 38.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Apache Software Foundation Apache Uima Java SDK CoreApache Software Foundation Apache Uima Java SDK CPEApache Software Foundation Apache Uima Java SDK Tools+2 more
Timeline
PublishedNov 8

Description

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular: * the deserialization of a Java-serialized CAS, but also othe

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

NVDapache/uimaj< 3.5.0

🔴Vulnerability Details

3
OSV
Apache UIMA Java SDK Deserialization of Untrusted Data, Improper Input Validation vulnerability2023-11-08
GHSA
Apache UIMA Java SDK Deserialization of Untrusted Data, Improper Input Validation vulnerability2023-11-08
CVEList
Apache UIMA Java SDK Core, Apache UIMA Java SDK CPE, Apache UIMA Java SDK Vinci adapter, Apache UIMA Java SDK tools: Potential untrusted code execution when deserializing certain binary CAS formats2023-11-08

📋Vendor Advisories

1
Red Hat
UIMA: deserialization of untrusted data, improper input validation vulnerability2023-11-08
CVE-2023-39913 (HIGH CVSS 8.8) | Deserialization of Untrusted Data | cvebase.io