CVE-2024-54676
CVE-2024-54676
9.8
CriticalPublished:
Last updated:
Source:security@apache.org
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
References
security@apache.org
https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2025/01/08/1