Deserialization of untrusted data in Apache OpenJPA - CVE-2013-1768
Published: April 24, 2018 / Updated: April 24, 2018
Vulnerability identifier: #VU12126
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2013-1768
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache OpenJPA
Apache OpenJPA
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to in the BrokerFactory functionality due to creating local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects. A remote attacker can create a serialized object, leverage improperly secured server programs and execute arbitrary code.
Successful exploitation of the vulnerability my result in system compromise.
The weakness exists due to in the BrokerFactory functionality due to creating local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects. A remote attacker can create a serialized object, leverage improperly secured server programs and execute arbitrary code.
Successful exploitation of the vulnerability my result in system compromise.
How to mitigate CVE-2013-1768
Update to version 1.2.3 or 2.2.2.