CVE-2022-46366
Summary
| CVE | CVE-2022-46366 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-12-02 14:15:00 UTC |
| Updated | 2023-11-07 03:55:00 UTC |
| Description | ** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry. |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Vulnerability-Disclosures/MNDT-2022-0041.md at master · mandiant/Vulnerability-Disclosures · GitHub | MISC | github.com | |
| oss-security - CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input | MLIST | www.openwall.com | |
| N/A | CONFIRM | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Apache would like to thank Ilyass El Hadi from Mandiant for reporting this issue
There are currently no legacy QID mappings associated with this CVE.