MNDT-2022-0041
Description
Apache Tapestry Framework version 3.x is affected by a unauthenticated Java unsafe deserialization vulnerability, which could lead to arbitrary code execution on the underlying server.
Impact
Very High - Exploiting the vulnerability could allow an attacker to completely compromise the application's underlying server.
Exploitability
Medium - A review of the framework's source code is required in order to identify the proper exploitation steps. As such, automated scanners cannot identify this issue.
CVE Reference
CVE-2022-46366
Technical Details
Similar to CVE-2020-17531, the sp parameter's contents, which are under the end-user's control, will ultimately be deserialized. However, for the vulnerable application to deserialize the malicious Java serialized object, certain modifications must be made to the payload. The payload modifications required for successful exploitation differ from the deserialization vulnerability affecting version 4.x (CVE-2020-17531).
Resolution
No patch to be released as the affected software is End-of-Life (EOL).
Discovery Credits
Ilyass El Hadi, Mandiant
Disclosure Timeline
- 2022-10-19 - Issue reported to Apache Software Foundation (ASF).
- 2022-11-29 - Issue confirmed by ASF and announced no patch will be released as the affected software is EOL.
- 2022-12-02 - CVE assigned and advisory released.