=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2022/VULN444

_____________________________________________________________________

DATE                : 05/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tapestry versions prior
                                        to 4 (EOL).

=====================================================================
https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj
_____________________________________________________________________

CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE
though deserialization of untrusted input
Description:

** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows
deserialization of untrusted data, leading to remote code execution.
This issue is similar to but distinct from CVE-2020-17531, which
applies the the (also unsupported) 4.x version line. NOTE: This
vulnerability only affects Apache Tapestry version line 3.x, which
is no longer supported by the maintainer. Users are recommended
to upgrade to a supported version line of Apache Tapestry.


Credit:

Apache would like to thank Ilyass El Hadi from Mandiant for
reporting this issue


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================