Vulnerability Details CVE-2022-46366
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.031
EPSS Ranking 86.3%
CVSS Severity
CVSS v3 Score 9.8
References
- http://www.openwall.com/lists/oss-security/2022/12/02/1
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md
- https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
- http://www.openwall.com/lists/oss-security/2022/12/02/1
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md
- https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
Products affected by CVE-2022-46366
-
cpe:2.3:a:apache:tapestry:3.0.0
-
cpe:2.3:a:apache:tapestry:3.0.1
-
cpe:2.3:a:apache:tapestry:3.0.2
-
cpe:2.3:a:apache:tapestry:3.0.3
-
cpe:2.3:a:apache:tapestry:3.0.4
-
cpe:2.3:a:apache:tapestry:3.1.0