Deserialization of untrusted data in Apache Cayenne
High severity
GitHub Reviewed
Published
Feb 12, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Description
Published by the National Vulnerability Database
Feb 11, 2022
Published to the GitHub Advisory Database
Feb 12, 2022
Reviewed
Feb 14, 2022
Last updated
Feb 3, 2023
Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.
References