Apache Cayenne security advisories

Security information for Apache Cayenne

Reporting

Do you want disclose a potential security issue for Apache Cayenne? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions

CVE-2022-24289 [CVE] [CVE json] [OSV json]

Last updated: 2022-02-11T22:06:23.179Z

Affected

  • Apache Cayenne from 4.1 through 4.1

Description

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne’s optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to ‘remote’ applications.

In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

References

Credits

  • Panda