- Description
- The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /** * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.
- Source
- security@apache.org
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security@apache.org
- CWE-94
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
18
🚨 Critical Apache MINA Vulnerability: CVE-2024-52046 🚨 A flaw with CVSS 10.0 allows Remote Code Execution (RCE) via unsafe serialization in Apache MINA (v2.0.X, 2.1.X, 2.2.X). Exploitable when certain classes & methods are invoked. 🛠️ Mitigation: Update to the latest… h
@arunpratap786
27 Dec 2024
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
How To Fix CVE-2024-52046 - A Critical RCE Vulnerability in Apache MINA Object Serialization Decoder https://t.co/El91tD7iRp https://t.co/Peuee0nR03
@TheSecMaster1
27 Dec 2024
157 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CVE-2024-52046: Vulnerabilidad crítica en Apache MINA permite ejecución remota de código. ⚠️ Actualiza a las versiones seguras (2.0.27, 2.1.10, 2.2.4) y configura clases permitidas en ObjectSerializationDecoder. https://t.co/GIK7JKtMb6
@tpx_Security
27 Dec 2024
38 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA #CVE-2024-52046: CVSS 10.0 #flaw Enables #RCE via Unsafe Serialization https://t.co/UPwVwaQbvL
@AdliceSoftware
27 Dec 2024
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CyberSecurity #Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/4StAHafxlM
@jos1727
27 Dec 2024
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization #Apache #MINA https://t.co/qUUag48PGk
@axcheron
27 Dec 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Nouvelle critique pour les Analystes Sécurité! Apache MINA CVE-2024-52046 présente une vulnérabilité de sérialisation risquée avec un score CVSS de 10.0. Patchez maintenant pour éviter une RCE! #Cybersecurite #Vulnérabilité 👉 https://t.co/EcL1zL7Lrm
@CyberAlertFr
27 Dec 2024
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/uhJSmoaQWk
@Dinosn
27 Dec 2024
75 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2024-52046 (CVSS 10.0): Apache MINA’da Kritik Uzak Kod Çalıştırma Zafiyeti Keşfedildi https://t.co/ehmPUlALXF
@cyberwebeyeos
27 Dec 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization Learn More ➥ https://t.co/Xk2DkC55EI #cybersecurity #hacking #cyberattack #technews
@allhackernews_
27 Dec 2024
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/hudzL63uWx https://t.co/mn3KbVtD7H
@talentxfactor
27 Dec 2024
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Apache MINA #CVE-2024-52046: #CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/17lpkHacZF
@ScyScan
27 Dec 2024
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/ceqsOGfYCD
@molari999
27 Dec 2024
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The Hacker News - Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/Cy0rQMaKmS
@buzz_sec
27 Dec 2024
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/yItXNOfiAZ
@DemolisherDigi
27 Dec 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#ln -s: RSS: Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization https://t.co/bwIE8kXYbR
@cpardue09
27 Dec 2024
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 A critical CVE-2024-52046 vulnerability in Apache MINA, scoring a perfect CVSS 10.0, could enable remote code execution. The flaw lies in Java’s deserialization protocol, leaving systems wide open to attack if improperly secured. Read now: https://t.co/CFo6ZC7qnU
@TheHackersNews
27 Dec 2024
44183 Impressions
40 Retweets
108 Likes
24 Bookmarks
2 Replies
4 Quotes
🚨 Critical Security Alert 🚨 Apache has issued warnings about critical vulnerabilities in MINA, HugeGraph, and Traffic Control components. These flaws could expose systems to severe risks if left unpatched. Key Vulnerabilities: CVE-2024-52046: Affects Apache MINA versions… h
@arunpratap786
26 Dec 2024
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[1/5] A critical RCE vulnerability, assigned a CVSS score of 10.0 by Apache, has been discovered in Apache MINA. This issue, CVE-2024-52046, is a classic Java deserialization vulnerability. Is the extremely high severity given to this vulnerability justified? Let’s take a look.
@JFrogSecurity
26 Dec 2024
359 Impressions
1 Retweet
2 Likes
1 Bookmark
1 Reply
0 Quotes
CVE-2024-52046 Impacts Apache Mina #ApacheMina #CVE-2024-52046 https://t.co/TWTYLeKxkk
@pravin_karthik
26 Dec 2024
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 (CVSS 10): Critical Apache MINA Flaw Could Allow Remote Code Execution https://t.co/d9b0QEZP0I
@Dinosn
26 Dec 2024
2579 Impressions
1 Retweet
11 Likes
4 Bookmarks
0 Replies
0 Quotes
🚨 CVE Alert: Critical Apache MINA Remote Code Execution (RCE) Vulnerability🚨 Vulnerability Details: CVE-2024-52046 (CVSS 10/10) Apache MINA Remote Code Execution (RCE) Vulnerability Impact A successful exploit may allow attackers to exploit the deserialization process by… ht
@CyberxtronTech
26 Dec 2024
100 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
『an application using MINA core library will only be affected if the IoBuffer#getObject() method is called,』 CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE https://t.co/Ih5n0hsmtd
@autumn_good_35
25 Dec 2024
442 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks … https://t.co/hDHVPxtZBm
@CVEnew
25 Dec 2024
726 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-52046: CRITICAL] Risk alert! Apache MINA core versions 2.0.X, 2.1.X, 2.2.X exposed to RCE attacks due to ObjectSerializationDecoder vulnerability. Apply updates and restrict accepted classes now!#cybersecurity,#vulnerability https://t.co/KMwSTC55Lv https://t.co/TUxT7h9D
@CveFindCom
25 Dec 2024
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52046 CVE-2024-52046 Apache MINA: MINA applications using unbounded deserialization may allow RCE https://t.co/jKDnItmEWO
@VulmonFeeds
25 Dec 2024
114 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes