Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tamY5LTRwY3YtdmZnN84ABDF5
Apache OpenMeetings vulnerable to Deserialization of Untrusted Data
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tamY5LTRwY3YtdmZnN84ABDF5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 21 days ago
Updated: 21 days ago
EPSS Percentage: 0.00177
EPSS Percentile: 0.55325
Identifiers: GHSA-mjf9-4pcv-vfg7, CVE-2024-54676
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-54676
- https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
- http://www.openwall.com/lists/oss-security/2025/01/08/1
- https://github.com/apache/openmeetings/commit/1c3426c6d3abbd984a3c01a61decf1242ea38923
- https://issues.apache.org/jira/browse/OPENMEETINGS-2787
- https://github.com/advisories/GHSA-mjf9-4pcv-vfg7
Blast Radius: 0.0
Affected Packages
maven:org.apache.openmeetings:openmeetings-parent
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 2.1.0, < 8.0.0
Fixed in: 8.0.0
All affected versions: 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 4.0.0, 4.0.1, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.9, 4.0.10, 4.0.11, 5.0.0, 5.1.0, 6.2.0, 6.3.0, 7.0.0, 7.2.0
All unaffected versions: 8.0.0