- Description
- The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.
- Source
- security@apache.org
- NVD status
- Modified
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
A critical (CVE-2024-52046) vulnerability in Apache MINA, scoring a perfect CVSS 10.0, could enable remote code execution. The flaw lies in Java’s de-serialization protocol, leaving systems wide open to attack if improperly secured.
@byt3n33dl3
2 Jan 2025
339 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🔒¡Atención desarrolladores! Se ha detectado una vulnerabilidad crítica (CVE-2024-52046) en Apache MINA con CVSS 10.0. No arriesgues tu seguridad, actualiza hoy. Detalles aquí: https://t.co/VyYZNf9Ykk #Ciberseguridad #ApacheMINA #Vulnerabilidad
@SotyHub
31 Dec 2024
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Apache MINA Vulnerability (CVE-2024-52046) https://t.co/ED8Oi2CHXh #CyberSecurity #SoftwareSecurity #ApacheMINA #CVE202452046 #CriticalVulnerability #RemoteCodeExecution #MalwareAlert #IoTSecurity #CyberThreat #ThreatIntelligence #CyberDefense #Hackers https://t.co/F
@mortaldrag65982
31 Dec 2024
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization 🚨 WIRE TOR - The Ethical Hacking Services 🔍 A critical vulnerability in the Apache MINA Java network application framework has been identified and patched. #hacker https://t.co/ZlYcFgptch
@WireTor
30 Dec 2024
27 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/NCgDpOe6Lk #CyberSecurity #Vulnerabilities #CSCIS
@CIDC_Ops
30 Dec 2024
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/pjU5e7Tyjz
@PVynckier
29 Dec 2024
94 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
Apache MINA CVE-2024-52046: Vulnerabilidad de gravedad máxima CVSS 10.0 permite RCE https://t.co/ywDHAj1W5K https://t.co/B6koulfSOX
@elhackernet
28 Dec 2024
2899 Impressions
3 Retweets
17 Likes
3 Bookmarks
0 Replies
0 Quotes
#Vulnerability #ApacheMINA CVE-2024-52046 (CVSS 10): Critical Apache MINA Flaw Could Allow Remote Code Execution https://t.co/qPvKjt0ggO
@Komodosec
28 Dec 2024
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
😳😳😳 Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/OOMGeMQDTD via @TheHackersNews
@HackToProtect
28 Dec 2024
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 يمكن لثغرة أمنية خطيرة CVE-2024-52046 في Apache MINA، والتي سجلت درجة الكمال CVSS 10.0، أن تتيح تنفيذ التعليمات البرمجية عن بُعد. ويكمن الخلل في بروتوكول إلغاء التسلسل في جافا، مما يترك الأنظمة مفتوحة على مصراعيها للهجوم إذا لم يتم تأمينها بشكل صحيح. (1/2)
@CERT_Arabic
27 Dec 2024
19 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
🚨 Critical Apache MINA Vulnerability: CVE-2024-52046 🚨 A flaw with CVSS 10.0 allows Remote Code Execution (RCE) via unsafe serialization in Apache MINA (v2.0.X, 2.1.X, 2.2.X). Exploitable when certain classes & methods are invoked. 🛠️ Mitigation: Update to the latest… h
@arunpratap786
27 Dec 2024
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
How To Fix CVE-2024-52046 - A Critical RCE Vulnerability in Apache MINA Object Serialization Decoder https://t.co/El91tD7iRp https://t.co/Peuee0nR03
@TheSecMaster1
27 Dec 2024
405 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CVE-2024-52046: Vulnerabilidad crítica en Apache MINA permite ejecución remota de código. ⚠️ Actualiza a las versiones seguras (2.0.27, 2.1.10, 2.2.4) y configura clases permitidas en ObjectSerializationDecoder. https://t.co/GIK7JKtMb6
@tpx_Security
27 Dec 2024
154 Impressions
1 Retweet
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA #CVE-2024-52046: CVSS 10.0 #flaw Enables #RCE via Unsafe Serialization https://t.co/UPwVwaQbvL
@AdliceSoftware
27 Dec 2024
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CyberSecurity #Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/4StAHafxlM
@jos1727
27 Dec 2024
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization #Apache #MINA https://t.co/qUUag48PGk
@axcheron
27 Dec 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Nouvelle critique pour les Analystes Sécurité! Apache MINA CVE-2024-52046 présente une vulnérabilité de sérialisation risquée avec un score CVSS de 10.0. Patchez maintenant pour éviter une RCE! #Cybersecurite #Vulnérabilité 👉 https://t.co/EcL1zL7Lrm
@CyberAlertFr
27 Dec 2024
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/uhJSmoaQWk
@Dinosn
27 Dec 2024
75 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2024-52046 (CVSS 10.0): Apache MINA’da Kritik Uzak Kod Çalıştırma Zafiyeti Keşfedildi https://t.co/ehmPUlALXF
@cyberwebeyeos
27 Dec 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/UDltIsgcvC
@inevitable360
27 Dec 2024
517 Impressions
1 Retweet
7 Likes
0 Bookmarks
0 Replies
1 Quote
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization Learn More ➥ https://t.co/Xk2DkC55EI #cybersecurity #hacking #cyberattack #technews
@allhackernews_
27 Dec 2024
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/hudzL63uWx https://t.co/mn3KbVtD7H
@talentxfactor
27 Dec 2024
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Apache MINA #CVE-2024-52046: #CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/17lpkHacZF
@ScyScan
27 Dec 2024
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/ceqsOGfYCD
@molari999
27 Dec 2024
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The Hacker News - Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/Cy0rQMaKmS
@buzz_sec
27 Dec 2024
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/yItXNOfiAZ
@DemolisherDigi
27 Dec 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#ln -s: RSS: Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/bwIE8kXYbR
@cpardue09
27 Dec 2024
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 A critical CVE-2024-52046 vulnerability in Apache MINA, scoring a perfect CVSS 10.0, could enable remote code execution. The flaw lies in Java’s deserialization protocol, leaving systems wide open to attack if improperly secured. Read now: https://t.co/CFo6ZC7qnU
@TheHackersNews
27 Dec 2024
49653 Impressions
48 Retweets
122 Likes
26 Bookmarks
2 Replies
4 Quotes
🚨 Critical Security Alert 🚨 Apache has issued warnings about critical vulnerabilities in MINA, HugeGraph, and Traffic Control components. These flaws could expose systems to severe risks if left unpatched. Key Vulnerabilities: CVE-2024-52046: Affects Apache MINA versions… h
@arunpratap786
26 Dec 2024
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[1/5] A critical RCE vulnerability, assigned a CVSS score of 10.0 by Apache, has been discovered in Apache MINA. This issue, CVE-2024-52046, is a classic Java deserialization vulnerability. Is the extremely high severity given to this vulnerability justified? Let’s take a look.
@JFrogSecurity
26 Dec 2024
359 Impressions
1 Retweet
2 Likes
1 Bookmark
1 Reply
0 Quotes
CVE-2024-52046 Impacts Apache Mina #ApacheMina #CVE-2024-52046 https://t.co/TWTYLeKxkk
@pravin_karthik
26 Dec 2024
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 (CVSS 10): Critical Apache MINA Flaw Could Allow Remote Code Execution https://t.co/d9b0QEZP0I
@Dinosn
26 Dec 2024
2579 Impressions
1 Retweet
11 Likes
4 Bookmarks
0 Replies
0 Quotes
🚨 CVE Alert: Critical Apache MINA Remote Code Execution (RCE) Vulnerability🚨 Vulnerability Details: CVE-2024-52046 (CVSS 10/10) Apache MINA Remote Code Execution (RCE) Vulnerability Impact A successful exploit may allow attackers to exploit the deserialization process by… ht
@CyberxtronTech
26 Dec 2024
100 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
『an application using MINA core library will only be affected if the IoBuffer#getObject() method is called,』 CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE https://t.co/Ih5n0hsmtd
@autumn_good_35
25 Dec 2024
442 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks … https://t.co/hDHVPxtZBm
@CVEnew
25 Dec 2024
726 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-52046: CRITICAL] Risk alert! Apache MINA core versions 2.0.X, 2.1.X, 2.2.X exposed to RCE attacks due to ObjectSerializationDecoder vulnerability. Apply updates and restrict accepted classes now!#cybersecurity,#vulnerability https://t.co/KMwSTC55Lv https://t.co/TUxT7h9D
@CveFindCom
25 Dec 2024
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 CVE-2024-52046 Apache MINA: MINA applications using unbounded deserialization may allow RCE https://t.co/jKDnItmEWO
@VulmonFeeds
25 Dec 2024
114 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F82D7D4E-546B-41CC-8B5B-8456319E2FB0",
"versionEndExcluding": "2.0.27",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9EC85FF7-169C-418D-86C7-D9FDC8A27E93",
"versionEndExcluding": "2.1.10",
"versionStartIncluding": "2.1.0"
},
{
"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E75343C5-A12C-4E79-B292-3ED290E0F039",
"versionEndExcluding": "2.2.4",
"versionStartIncluding": "2.2.0"
}
],
"operator": "OR"
}
]
}
]