CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52046 – Apache MINA: MINA applications using unbounded deserialization may allow RCE
https://notcve.org/view.php?id=CVE-2024-52046
25 Dec 2024 — The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10... • https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41909 – Apache MINA SSHD: integrity check bypass
https://notcve.org/view.php?id=CVE-2024-41909
12 Aug 2024 — Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and s... • https://github.com/apache/mina-sshd/issues/445 • CWE-354: Improper Validation of Integrity Check Value •