CVE-2024-54676

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
6.1%
top 9.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache OpenmeetingsApache Openmeetings
Timeline
PublishedJan 8

Description

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' confi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/openmeetings2.18.0.0

🔴Vulnerability Details

3
GHSA
Apache OpenMeetings vulnerable to Deserialization of Untrusted Data2025-01-08
OSV
Apache OpenMeetings vulnerable to Deserialization of Untrusted Data2025-01-08
CVEList
Apache OpenMeetings: Deserialisation of untrusted data in cluster mode2025-01-08
CVE-2024-54676 (CRITICAL CVSS 9.8) | Vendor: The Apache Software Foundat | cvebase.io