{"schema_version": "1.6.1", "id": "CVE-2022-24289", "summary": "Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions", "details": "Hessian serialization is a network protocol that supports object-based transmission.\nApache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications.\n\nIn Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server.  This can result in arbitrary code execution.\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "4.1"}, {"last_affected": "4.1"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"}, {"type": "ADVISORY", "url": "https://lists.apache.org/thread/6dbw9xmkmc32db057wnng0m93g3nbxkt"}]}