Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
0 contributors

Users who have contributed to this file

MNDT-2022-0041

Description

Apache Tapestry Framework version 3.x is affected by a unauthenticated Java unsafe deserialization vulnerability, which could lead to arbitrary code execution on the underlying server.

Impact

Very High - Exploiting the vulnerability could allow an attacker to completely compromise the application's underlying server.

Exploitability

Medium - A review of the framework's source code is required in order to identify the proper exploitation steps. As such, automated scanners cannot identify this issue.

CVE Reference

CVE-2022-46366

Technical Details

Similar to CVE-2020-17531, the sp parameter's contents, which are under the end-user's control, will ultimately be deserialized. However, for the vulnerable application to deserialize the malicious Java serialized object, certain modifications must be made to the payload. The payload modifications required for successful exploitation differ from the deserialization vulnerability affecting version 4.x (CVE-2020-17531).

Resolution

No patch to be released as the affected software is End-of-Life (EOL).

Discovery Credits

Ilyass El Hadi, Mandiant

Disclosure Timeline

  • 2022-10-19 - Issue reported to Apache Software Foundation (ASF).
  • 2022-11-29 - Issue confirmed by ASF and announced no patch will be released as the affected software is EOL.
  • 2022-12-02 - CVE assigned and advisory released.

References