CVE-2024-54676

Опубликовано: 08 янв. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

Ссылки

https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/01/08/1
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*

Версия от 2.1 (включая) до 8.0.0 (исключая)

EPSS

Процентиль: 87%

0.03191

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-mjf9-4pcv-vfg7

github

около 1 года назад

Apache OpenMeetings vulnerable to Deserialization of Untrusted Data

BDU:2025-03166