CVE-2024-54676

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-54676

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54676.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-54676

Aliases

GHSA-mjf9-4pcv-vfg7

Published

2025-01-08T09:15:07Z

Modified

2025-01-15T19:50:41Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

References

Affected packages

Git / github.com/apache/openmeetings

Affected ranges

Type: GIT
Repo: https://github.com/apache/openmeetings
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dee83f608de8ea35362bed95c98beb4a9dc33b0c