Refine your search
8 vulnerabilities found for Apache MINA by Apache Software Foundation
CVE-2026-47065 (GCVE-0-2026-47065)
Vulnerability from cvelistv5
Published
2026-06-03 09:39
Modified
2026-06-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy
Assessment: Fully addressed.
When the serialised stream contains a TC_PROXYCLASSDESC (the marker
for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()
is
dispatched. JDK then calls the default
ObjectInputStream.resolveProxyClass(interfaces) implementation, which
performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH
interface name and constructs the proxy class — bypassing the accepted
classes list .
ZDRES-233: Class.forName(name, initialize=true, classLoader) in
readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes
Assessment: Fully addressed.
For ANY class on the allow-list, deserialising a stream that names it triggers the class’s
(static initialiser) BEFORE any instance is constructed. This means an
attacker who supplies a class name on the allow-list (e.g., the
developer wrote accept(“com.myapp.*") , attacker supplies
com.myapp.SomeClass ) causes <clinit> of SomeClass — and many
real-world classes have side-effecting static initialisers
Both issues have been fixed.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.2.0 ≤ Version: 2.1.0 ≤ Version: 2.0.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T03:55:48.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina-core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.2.8",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThan": "2.1.13",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"lessThan": "2.0.29",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, SecureIn"
},
{
"lang": "en",
"type": "finder",
"value": "keda (GitHub: @yuui25)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy\u003c/p\u003e\n\u003cp\u003eAssessment: Fully addressed.\u003c/p\u003e\n\u003cp\u003eWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker \nfor a java.lang.reflect.Proxy ), JDK\u2019s ObjectInputStream.readProxyDesc()\n is\ndispatched. JDK then calls the default \nObjectInputStream.resolveProxyClass(interfaces) implementation, which \nperforms Class.forName(intf, false, latestUserDefinedLoader()) for EACH \ninterface name and constructs the proxy class \u00e2\u20ac\u201d bypassing the accepted\n classes list .\u003c/p\u003e\n\u003cp\u003eZDRES-233: Class.forName(name, initialize=true, classLoader) in \nreadClassDescriptor Triggers Static Initialiser of Allow-Listed Classes\u003c/p\u003e\n\u003cp\u003eAssessment: Fully addressed.\u003c/p\u003e\n\u003cp\u003eFor ANY class on the allow-list, deserialising a stream that names it triggers the class\u2019s \n (static initialiser) BEFORE any instance is constructed. This means an \nattacker who supplies a class name on the allow-list (e.g., the \ndeveloper wrote accept(\u201ccom.myapp.*\") , attacker supplies \ncom.myapp.SomeClass ) causes \u0026lt;clinit\u0026gt; of SomeClass \u00e2\u20ac\u201d and many \nreal-world classes have side-effecting static initialisers\u003c/p\u003e\n\u003cp\u003eBoth issues have been fixed.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy\n\n\nAssessment: Fully addressed.\n\n\nWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker \nfor a java.lang.reflect.Proxy ), JDK\u2019s ObjectInputStream.readProxyDesc()\n is\ndispatched. JDK then calls the default \nObjectInputStream.resolveProxyClass(interfaces) implementation, which \nperforms Class.forName(intf, false, latestUserDefinedLoader()) for EACH \ninterface name and constructs the proxy class \u00e2\u20ac\u201d bypassing the accepted\n classes list .\n\n\nZDRES-233: Class.forName(name, initialize=true, classLoader) in \nreadClassDescriptor Triggers Static Initialiser of Allow-Listed Classes\n\n\nAssessment: Fully addressed.\n\n\nFor ANY class on the allow-list, deserialising a stream that names it triggers the class\u2019s \n (static initialiser) BEFORE any instance is constructed. This means an \nattacker who supplies a class name on the allow-list (e.g., the \ndeveloper wrote accept(\u201ccom.myapp.*\") , attacker supplies \ncom.myapp.SomeClass ) causes \u003cclinit\u003e of SomeClass \u00e2\u20ac\u201d and many \nreal-world classes have side-effecting static initialisers\n\n\nBoth issues have been fixed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T22:28:41.093Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-47065",
"datePublished": "2026-06-03T09:39:41.629Z",
"dateReserved": "2026-05-18T16:53:39.555Z",
"dateUpdated": "2026-06-04T03:55:48.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42778 (GCVE-0-2026-42778)
Vulnerability from cvelistv5
Published
2026-05-01 10:01
Modified
2026-05-02 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.2.X ≤ 2.2.6 Version: 2.1.X ≤ 2.1.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:55:26.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina.core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "2.2.X",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.11",
"status": "affected",
"version": "2.1.X",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected versions are Apache MINA 2.1.0 \u0026lt;= 2.1.11, and 2.2.0 \u0026lt;= 2.2.6.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected are applications using Apache MINA that call IoBuffer.getObject().\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApplications using Apache MINA are advised to upgrade\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected versions are Apache MINA 2.1.0 \u0026lt;= 2.1.110, and 2.2.0 \u0026lt;= 2.2.6.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected are applications using Apache MINA that call IoBuffer.getObject().\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApplications using Apache MINA are advised to upgrade\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 \u003c= 2.1.11, and 2.2.0 \u003c= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade\n\n\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 \u003c= 2.1.110, and 2.2.0 \u003c= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T10:01:10.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA: CWE-502 Deserialization of Untrusted Data (take 2)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42778",
"datePublished": "2026-05-01T10:01:10.081Z",
"dateReserved": "2026-04-29T13:31:49.189Z",
"dateUpdated": "2026-05-02T03:55:26.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42779 (GCVE-0-2026-42779)
Vulnerability from cvelistv5
Published
2026-05-01 10:00
Modified
2026-05-02 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.2.X ≤ 2.2.6 Version: 2.1.X ≤ 2.1.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:55:25.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina-core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "2.2.X",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.11",
"status": "affected",
"version": "2.1.X",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eThe fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache \u003cb\u003eMINA\u003c/b\u003e\u0027s \u003ci\u003eAbstractIoBuffer.resolveClass()\u003c/i\u003e contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix checks if the class is present in the accepted class filter \u003cb\u003ebefore\u003c/b\u003e calling \u003ci\u003eClass.forName()\u003c/i\u003e. \u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003eAffected versions are Apache MINA 2.1.0 \u0026lt;= 2.1.11, and 2.2.0 \u0026lt;= 2.2.6.\n\u003cbr\u003e\n\n\u003cbr\u003e\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\u003cbr\u003e\n\n\u003cbr\u003e\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\u003cbr\u003e\n\n\u003cbr\u003e\nApplications using Apache MINA are advised to upgrade."
}
],
"value": "The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\n\n\n\n\n\n\n\nApache MINA\u0027s AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter before calling Class.forName(). \n\n\n\n\n\n\nAffected versions are Apache MINA 2.1.0 \u003c= 2.1.11, and 2.2.0 \u003c= 2.2.6.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T10:00:43.712Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE (take 2)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42779",
"datePublished": "2026-05-01T10:00:43.712Z",
"dateReserved": "2026-04-29T13:32:57.549Z",
"dateUpdated": "2026-05-02T03:55:25.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41409 (GCVE-0-2026-41409)
Vulnerability from cvelistv5
Published
2026-04-27 09:20
Modified
2026-04-27 12:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.2.0 ≤ 2.2.5 Version: 2.1.0 ≤ 2.1.10 Version: 2.0.0 ≤ 2.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T12:21:46.348024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T12:21:52.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina.core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.27",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected versions are Apache MINA 2.0.0 \u0026lt;= 2.0.27, 2.1.0 \u0026lt;= 2.1.10, and 2.2.0 \u0026lt;= 2.2.5.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected are applications using Apache MINA that call IoBuffer.getObject().\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApplications using Apache MINA are advised to upgrade\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 \u003c= 2.0.27, 2.1.0 \u003c= 2.1.10, and 2.2.0 \u003c= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T09:20:12.866Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA: CWE-502 Deserialization of Untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41409",
"datePublished": "2026-04-27T09:20:12.866Z",
"dateReserved": "2026-04-20T15:04:54.505Z",
"dateUpdated": "2026-04-27T12:21:52.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41635 (GCVE-0-2026-41635)
Vulnerability from cvelistv5
Published
2026-04-27 08:59
Modified
2026-04-28 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and
2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.2.0 ≤ 2.2.5 Version: 2.1.0 ≤ 2.1.10 Version: 2.0.0 ≤ 2.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T03:55:38.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-27T16:32:59.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/27/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina-core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.27",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache \u003cb\u003eMINA\u003c/b\u003e\u0027s \u003ci\u003eAbstractIoBuffer.resolveClass()\u003c/i\u003e contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix checks if the class is present in the accepted class filter\u0026nbsp;\u003cb\u003ebefore\u003c/b\u003e calling\u0026nbsp;\u003ci\u003eClass.forName()\u003c/i\u003e.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003eAffected versions are Apache MINA 2.0.0 \u0026lt;= 2.0.27, 2.1.0 \u0026lt;= 2.1.10, and\n\u003cbr\u003e\n2.2.0 \u0026lt;= 2.2.5.\n\u003cbr\u003e\n\n\u003cbr\u003e\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\u003cbr\u003e\n\n\u003cbr\u003e\nAffected are applications using Apache MINA that call\u0026nbsp; IoBuffer.getObject().\n\u003cbr\u003e\n\n\u003cbr\u003e\nApplications using Apache MINA are advised to upgrade.\u003cdiv\u003e\u003c/div\u003e"
}
],
"value": "Apache MINA\u0027s AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter\u00a0before calling\u00a0Class.forName().\u00a0\n\n\n\n\n\n\nAffected versions are Apache MINA 2.0.0 \u003c= 2.0.27, 2.1.0 \u003c= 2.1.10, and\n\n\n2.2.0 \u003c= 2.2.5.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call\u00a0 IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T09:15:46.203Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm"
}
],
"source": {
"advisory": "ZDRES-059",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-17T00:00:00.000Z",
"value": "Initial reporting"
}
],
"title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41635",
"datePublished": "2026-04-27T08:59:50.652Z",
"dateReserved": "2026-04-21T22:18:22.755Z",
"dateUpdated": "2026-04-28T03:55:38.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52046 (GCVE-0-2024-52046)
Vulnerability from cvelistv5
Published
2024-12-25 10:06
Modified
2025-08-02 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process
incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows
attackers to exploit the deserialization process by sending specially crafted malicious serialized data,
potentially leading to remote code execution (RCE) attacks.
This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.
It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.
Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:
/**
* Accept class names where the supplied ClassNameMatcher matches for
* deserialization, unless they are otherwise rejected.
*
* @param classNameMatcher the matcher to use
*/
public void accept(ClassNameMatcher classNameMatcher)
/**
* Accept class names that match the supplied pattern for
* deserialization, unless they are otherwise rejected.
*
* @param pattern standard Java regexp
*/
public void accept(Pattern pattern)
/**
* Accept the wildcard specified classes for deserialization,
* unless they are otherwise rejected.
*
* @param patterns Wildcard file name patterns as defined by
* {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
*/
public void accept(String... patterns)
By default, the decoder will reject *all* classes that will be present in the incoming data.
Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: 2.1 ≤ 2.1.9 Version: 2.2 ≤ 2.2.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-03T12:04:29.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/12/25/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250103-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-02T03:55:42.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina-core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.0.26",
"status": "unknown",
"version": "2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.2.3",
"status": "affected",
"version": "2.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The initial report was submitted by Bofei Chen, with all the necessary bits to reproduce the RCE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\t\t\t\u003cdiv\u003e\n\t\t\t\t\u003cdiv\u003e\n\t\t\t\t\t\u003cdiv\u003e\n\t\t\t\t\t\t\u003cp\u003eThe ObjectSerializationDecoder in Apache MINA uses Java\u2019s native deserialization protocol to process\nincoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows\nattackers to exploit the deserialization process by sending specially crafted malicious serialized data,\npotentially leading to remote code execution (RCE) attacks.\n\u003c/p\u003e\n\t\t\t\t\t\u003c/div\u003e\n\t\t\t\t\u003c/div\u003e\n\t\t\t\u003c/div\u003e\n\t\t\u003c/div\u003e\u003cdiv\u003e\n\t\nThis issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eIt\u0027s also important to note that an application using MINA core library will only be affected if the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIoBuffer#getObject\u003c/span\u003e\u003c/span\u003e() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(212, 212, 212);\"\u003eObjectSerializationCodecFactory\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUpgrading will\u0026nbsp; not be enough: you also need to explicitly allow the classes the decoder will accept in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(212, 212, 212);\"\u003eObjectSerializationDecoder\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e instance, using one of the three new methods:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e /**\u003c/p\u003e\u003cp\u003e\u0026nbsp; \u0026nbsp;\u0026nbsp; * Accept class names where the supplied ClassNameMatcher matches for\u003c/p\u003e\u003cp\u003e * deserialization, unless they are otherwise rejected.\u003c/p\u003e\u003cp\u003e *\u003c/p\u003e\u003cp\u003e * @param classNameMatcher the matcher to use\u003c/p\u003e\u003cp\u003e */\u003c/p\u003e\u003cp\u003e public void \u003cspan style=\"background-color: rgb(212, 212, 212);\"\u003eaccept\u003c/span\u003e(ClassNameMatcher classNameMatcher)\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e /**\u003c/p\u003e\u003cp\u003e * Accept class names that match the supplied pattern for\u003c/p\u003e\u003cp\u003e * deserialization, unless they are otherwise rejected.\u003c/p\u003e\u003cp\u003e *\u003c/p\u003e\u003cp\u003e * @param pattern standard Java regexp\u003c/p\u003e\u003cp\u003e */\u003c/p\u003e\u003cp\u003e public void accept(Pattern pattern) \u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e /**\u003c/p\u003e\u003cp\u003e * Accept the wildcard specified classes for deserialization,\u003c/p\u003e\u003cp\u003e * unless they are otherwise rejected.\u003c/p\u003e\u003cp\u003e *\u003c/p\u003e\u003cp\u003e * @param patterns Wildcard file name patterns as defined by\u003c/p\u003e\u003cp\u003e * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}\u003c/p\u003e\u003cp\u003e */\u003c/p\u003e\u003cp\u003e public void accept(String... patterns)\u003cbr\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eBy default, the decoder will reject *all* classes that will be present in the incoming data.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNote: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The ObjectSerializationDecoder in Apache MINA uses Java\u2019s native deserialization protocol to process\nincoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows\nattackers to exploit the deserialization process by sending specially crafted malicious serialized data,\npotentially leading to remote code execution (RCE) attacks.\n\n\n\n\t\t\t\t\t\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\nThis issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.\n\n\n\n\n\nIt\u0027s also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.\n\n\n\n\nUpgrading will\u00a0 not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:\n\n\n\n\n /**\n\n\u00a0 \u00a0\u00a0 * Accept class names where the supplied ClassNameMatcher matches for\n\n * deserialization, unless they are otherwise rejected.\n\n *\n\n * @param classNameMatcher the matcher to use\n\n */\n\n public void accept(ClassNameMatcher classNameMatcher)\n\n\n\n\n /**\n\n * Accept class names that match the supplied pattern for\n\n * deserialization, unless they are otherwise rejected.\n\n *\n\n * @param pattern standard Java regexp\n\n */\n\n public void accept(Pattern pattern) \n\n\n\n\n\n /**\n\n * Accept the wildcard specified classes for deserialization,\n\n * unless they are otherwise rejected.\n\n *\n\n * @param patterns Wildcard file name patterns as defined by\n\n * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}\n\n */\n\n public void accept(String... patterns)\n\n\n\n\n\n\n\nBy default, the decoder will reject *all* classes that will be present in the incoming data.\n\n\n\n\n\n\n\nNote: The FtpServer, SSHd and Vysper sub-project are not affected by this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T09:33:36.380Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache MINA: MINA applications using unbounded deserialization may allow RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-52046",
"datePublished": "2024-12-25T10:06:23.887Z",
"dateReserved": "2024-11-05T13:13:06.944Z",
"dateUpdated": "2025-08-02T03:55:42.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41973 (GCVE-0-2021-41973)
Vulnerability from cvelistv5
Published
2021-11-01 08:35
Modified
2024-08-04 03:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: Apache MINA < 2.1.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E"
},
{
"name": "[oss-security] 20211101 [ANNOUNCE] Apache MINA 2.0.22 \u0026 2.1.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/2"
},
{
"name": "[oss-security] 20211101 CVE-2021-41973: Apache MINA HTTP listener DOS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"changes": [
{
"at": "2.0.22",
"status": "unaffected"
}
],
"lessThan": "2.1.5",
"status": "affected",
"version": "Apache MINA",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:57:05.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E"
},
{
"name": "[oss-security] 20211101 [ANNOUNCE] Apache MINA 2.0.22 \u0026 2.1.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/2"
},
{
"name": "[oss-security] 20211101 CVE-2021-41973: Apache MINA HTTP listener DOS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA HTTP listener DOS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-41973",
"STATE": "PUBLIC",
"TITLE": "Apache MINA HTTP listener DOS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MINA",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache MINA",
"version_value": "2.1.5"
},
{
"version_affected": "\u003c",
"version_name": "Apache MINA",
"version_value": "2.0.22"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E"
},
{
"name": "[oss-security] 20211101 [ANNOUNCE] Apache MINA 2.0.22 \u0026 2.1.5 released",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/2"
},
{
"name": "[oss-security] 20211101 CVE-2021-41973: Apache MINA HTTP listener DOS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/01/8"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-41973",
"datePublished": "2021-11-01T08:35:09.000Z",
"dateReserved": "2021-10-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:22:25.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0231 (GCVE-0-2019-0231)
Vulnerability from cvelistv5
Published
2019-10-01 19:39
Modified
2025-02-13 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- SSLFilter security Issue
Summary
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Version: Apache MINA 2.1 2.1.0 Version: Apache MINA 2.0 2.0.21 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache MINA 2.1 2.1.0"
},
{
"status": "affected",
"version": "Apache MINA 2.0 2.0.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Oleksii Osypov."
}
],
"datePublic": "2019-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SSLFilter security Issue",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T03:16:11.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA SSLFilter security Issue",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "27/9/2019",
"ID": "CVE-2019-0231",
"STATE": "PUBLIC",
"TITLE": "Apache MINA SSLFilter security Issue"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MINA",
"version": {
"version_data": [
{
"version_name": "Apache MINA 2.1",
"version_value": "2.1.0"
},
{
"version_name": "Apache MINA 2.0",
"version_value": "2.0.21"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Oleksii Osypov."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SSLFilter security Issue"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019",
"refsource": "MISC",
"url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0231",
"datePublished": "2019-10-01T19:39:53.189Z",
"dateReserved": "2018-11-14T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:19.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}