CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24289 – Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions
https://notcve.org/view.php?id=CVE-2022-24289
11 Feb 2022 — Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitra... • http://www.openwall.com/lists/oss-security/2022/02/11/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2018-11758
https://notcve.org/view.php?id=CVE-2018-11758
22 Aug 2018 — This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XM... • http://www.securityfocus.com/bid/105142 • CWE-611: Improper Restriction of XML External Entity Reference •