Описание
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
Ссылки
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.0.0 (включая) до 3.5.0 (исключая)
Одно из
cpe:2.3:a:apache:causeway:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:causeway:4.0.0:m1:*:*:*:*:*:*
EPSS
Процентиль: 70%
0.00631
Низкий
6.3 Medium
CVSS3
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 6.3
github
3 месяца назад
Apache Causeway vulnerable to deserialization in Java
EPSS
Процентиль: 70%
0.00631
Низкий
6.3 Medium
CVSS3
Дефекты
CWE-502