CVE-2024-54676: Apache OpenMeetings vulnerable to Deserialization of Untrusted Data

January 8, 2025

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn’t specify allow/deny lists for OpenJPA this leads to possible deserialisation of untrusted data.

References

github.com/advisories/GHSA-mjf9-4pcv-vfg7
github.com/apache/openmeetings
github.com/apache/openmeetings/commit/1c3426c6d3abbd984a3c01a61decf1242ea38923
issues.apache.org/jira/browse/OPENMEETINGS-2787
lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
nvd.nist.gov/vuln/detail/CVE-2024-54676

Code Behaviors & Features

Detect and mitigate CVE-2024-54676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →