CVE-2024-52046Deserialization of Untrusted Data in Apache Mina

CWE-502Deserialization of Untrusted DataCWE-94Code Injection12 documents8 sources
Severity
10.0CRITICALNVD
EPSS
80.1%
top 0.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache MinaApache Software Foundation Apache Mina
Timeline
PublishedDec 25
Latest updateJan 15

Description

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

NVDapache/mina2.0.02.0.27+2
CVEListV5apache_software_foundation/apache_mina2.12.1.9+1

🔴Vulnerability Details

4
CVEList
Apache MINA: MINA applications using unbounded deserialization may allow RCE2024-12-25
OSV
CVE-2024-52046: The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary2024-12-25
OSV
Apache MINA Deserialization RCE Vulnerability2024-12-25
GHSA
Apache MINA Deserialization RCE Vulnerability2024-12-25

📋Vendor Advisories

6
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: XAD-PID Change Management XPID (Apache Mina) — CVE-2024-520462026-01-15
Oracle
Oracle Oracle JD Edwards Risk Matrix: Business Logic Infra SEC (Apache Mina) — CVE-2024-520462025-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache Mina) — CVE-2024-520462025-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: FileTransferJCA, VPLS Cartridge, TL1 Cartridge (Apache Mina) — CVE-2024-520462025-04-15
Red Hat
mina-core: Apache MINA: applications using unbounded deserialization may allow RCE2024-12-25

🕵️Threat Intelligence

1
Bleepingcomputer
Apache warns of critical flaws in MINA, HugeGraph, Traffic Control2024-12-26
CVE-2024-52046 — Deserialization of Untrusted Data | cvebase