GHSA-mjf9-4pcv-vfg7 — critical GitHub Advisory (CVE-2024-54676) in maven/org.apache.openmeetings:op…

Description

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

Basic information

Type: reviewed
Severity: critical
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2025-01-08 09:30:39 UTC
Updated: 2025-01-08 16:17:39 UTC
GitHub reviewed: 2025-01-08 16:17:37 UTC
NVD published: 2025-01-08

Score	Percentile
6.12%	90.58%

CVSS Scores

Base score	Version	Severity	Vector
9.3	4.0	—	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network. Attack complexity (AC:L) Exploitation conditions are straightforward and stable. Attack requirements (AT:N) No additional preconditions are required beyond normal reachability. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:H) High confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:H) High integrity impact on the vulnerable system. Vulnerable system availability impact (VA:H) High availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems.

Identifiers

Type	Value
GHSA	GHSA-mjf9-4pcv-vfg7 ↗
CVE	CVE-2024-54676 ↗

CWEs

CWE id	Name
CWE-502	Deserialization of Untrusted Data

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.apache.openmeetings:openmeetings-parent	>= 2.1.0, < 8.0.0	8.0.0	—

Apache OpenMeetings vulnerable to Deserialization of Untrusted Data