CVE-2013-1768 – org.apache.openjpa:openjpa

Package

Manager: maven
Name: org.apache.openjpa:openjpa
Vulnerable Version: >=1.0.0 <1.2.3 || >=2.0.0 <2.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.10569 pctl0.92985

Details

Deserialization of Untrusted Data in Apache OpenJPA The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

Metadata

Created: 2022-05-14T03:30:19Z
Modified: 2024-02-26T22:28:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j65f-mvgw-prp2/GHSA-j65f-mvgw-prp2.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-j65f-mvgw-prp2
Finding: F096
Auto approve: 1