CVE-2013-1777 – org.apache.geronimo.framework:geronimo-jmx-remoting

Package

Manager: maven
Name: org.apache.geronimo.framework:geronimo-jmx-remoting
Vulnerable Version: >=3.0-beta-1 <3.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04819 pctl0.89089

Details

Apache Geronimo JMX Remoting functionality allows remote code execution in 3.x before v3.0.1 The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.

Metadata

Created: 2022-05-17T04:48:11Z
Modified: 2024-03-05T18:31:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v64w-96p6-fx7w/GHSA-v64w-96p6-fx7w.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-v64w-96p6-fx7w
Finding: F422
Auto approve: 1