8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24289

GHSA ID

GHSA-c58c-w527-h77p

EPSS Score

0.87441%

CWE

CWE-502

Published

2/12/2022

Updated

2/3/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24289

CVE-2022-24289: Deserialization of untrusted data in Apache Cayenne

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24289

GHSA ID

GHSA-c58c-w527-h77p

EPSS Score

0.87441%

CWE

CWE-502

Published

2/12/2022

Updated

2/3/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.cayenne:cayenne-server	maven	< 4.1.1	4.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around unsafe Hessian deserialization in Cayenne's ROP feature. While no direct patch code is shown, the advisory explicitly mentions that patched versions (4.1.1+) introduced whitelisting for Hessian deserialization. The core vulnerable function must be the Hessian deserialization entry point, which in Java Hessian implementations is typically a deserialize() method in the serializer class. The package structure follows Cayenne's remote service implementation conventions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ssi*n s*ri*liz*tion is * n*twork proto*ol t**t supports o*j**t-**s** tr*nsmission. *p**** **y*nn*'s option*l R*mot* O*j**t P*rsist*n** (ROP) ***tur* is * w** s*rvi**s-**s** t***nolo*y t**t provi**s o*j**t p*rsist*n** *n* qu*ry *un*tion*lity to 'r*m

Reasoning

T** vuln*r**ility **nt*rs *roun* uns*** **ssi*n **s*ri*liz*tion in **y*nn*'s ROP ***tur*. W*il* no *ir**t p*t** *o** is s*own, t** **visory *xpli*itly m*ntions t**t p*t**** v*rsions (*.*.*+) intro*u*** w*it*listin* *or **ssi*n **s*ri*liz*tion. T** *o

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-24289: Deserialization of untrusted data in Apache Cayenne

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI