CVE-2022-46366: Deserialization of Untrusted Data

December 2, 2022 (updated November 9, 2023)

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

References

www.openwall.com/lists/oss-security/2022/12/02/1
github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md
lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
nvd.nist.gov/vuln/detail/CVE-2022-46366

Detect and mitigate CVE-2022-46366 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →