#VU12126 Deserialization of untrusted data in Apache OpenJPA - CVE-2013-1768
Published: April 24, 2018 / Updated: April 24, 2018
Vulnerability identifier: #VU12126
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2013-1768
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache OpenJPA
Apache OpenJPA
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to in the BrokerFactory functionality due to creating local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects. A remote attacker can create a serialized object, leverage improperly secured server programs and execute arbitrary code.
Successful exploitation of the vulnerability my result in system compromise.
The weakness exists due to in the BrokerFactory functionality due to creating local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects. A remote attacker can create a serialized object, leverage improperly secured server programs and execute arbitrary code.
Successful exploitation of the vulnerability my result in system compromise.
Remediation
Update to version 1.2.3 or 2.2.2.