CVE-2024-54676 – org.apache.openmeetings:openmeetings-parent

Package

Manager: maven
Name: org.apache.openmeetings:openmeetings-parent
Vulnerable Version: >=2.1.0 <8.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03074 pctl0.86236

Details

Apache OpenMeetings vulnerable to Deserialization of Untrusted Data Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

Metadata

Created: 2025-01-08T09:30:39Z
Modified: 2025-01-08T16:17:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-mjf9-4pcv-vfg7/GHSA-mjf9-4pcv-vfg7.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-mjf9-4pcv-vfg7
Finding: F096
Auto approve: 1