CVE-2013-1768

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

References

http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html

http://rhn.redhat.com/errata/RHSA-2013-1862.html

http://svn.apache.org/viewvc?view=revision&revision=1462076

http://svn.apache.org/viewvc?view=revision&revision=1462225

http://svn.apache.org/viewvc?view=revision&revision=1462268

http://svn.apache.org/viewvc?view=revision&revision=1462318

http://svn.apache.org/viewvc?view=revision&revision=1462328

http://svn.apache.org/viewvc?view=revision&revision=1462488

http://svn.apache.org/viewvc?view=revision&revision=1462512

http://svn.apache.org/viewvc?view=revision&revision=1462558

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.securityfocus.com/bid/60534

http://www-01.ibm.com/support/docview.wss?uid=swg1PM86780

http://www-01.ibm.com/support/docview.wss?uid=swg1PM86786

http://www-01.ibm.com/support/docview.wss?uid=swg1PM86788

http://www-01.ibm.com/support/docview.wss?uid=swg1PM86791

http://www-01.ibm.com/support/docview.wss?uid=swg21635999

http://www-01.ibm.com/support/docview.wss?uid=swg21644047

https://exchange.xforce.ibmcloud.com/vulnerabilities/82268

Details

Source: MITRE

Published: 2013-07-11

Updated: 2018-04-20

Type: CWE-264

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (9 total)

IDNameProductFamilySeverity
109201Oracle WebLogic Server Multiple Vulnerabilities (April 2018 CPU)NessusMisc.
critical
70325Mandriva Linux Security Advisory : openjpa (MDVSA-2013:246)NessusMandriva Local Security Checks
high
70022IBM WebSphere Application Server 6.1 < Fix Pack 47 Multiple VulnerabilitiesNessusWeb Servers
critical
69449IBM WebSphere Application Server 8.0 < Fix Pack 7 Multiple VulnerabilitiesNessusWeb Servers
high
69021IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5 Multiple VulnerabilitiesNessusWeb Servers
high
68989Fedora 17 : openjpa-2.2.0-3.fc17 (2013-12967)NessusFedora Local Security Checks
high
68988Fedora 18 : openjpa-2.2.0-3.fc18 (2013-12960)NessusFedora Local Security Checks
high
68987Fedora 19 : openjpa-2.2.1-6.fc19 (2013-12948)NessusFedora Local Security Checks
high
68982IBM WebSphere Application Server 7.0 < Fix Pack 29 Multiple VulnerabilitiesNessusWeb Servers
high