CVE-2022-46366
moderate-risk
Published 2022-12-02
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
Do I need to act?
~
3.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022...
Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022...
44
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
7/34 · Low
Exposure
5/34 · Minimal