CVE-2022-46366

CRITICAL 9.8

Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

CWE	CWE-502
Vendor	apache software foundation
Product	apache tapestry
Published	Dec 2, 2022
Last Updated	Aug 3, 2024

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache tapestry

Be the first to know when new critical vulnerabilities affecting apache software foundation apache tapestry are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Tapestry

Apache Tapestry < 4.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj openwall.com: http://www.openwall.com/lists/oss-security/2022/12/02/1 github.com: https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md

Credits

Apache would like to thank Ilyass El Hadi from Mandiant for reporting this issue