CVE-2022-23307
HIGHApache Chainsaw < 2.1.0 - Deserialization of Untrusted Data
Title source: llmDescription
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://logging.apache.org/log4j/1.2/index.html
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
8.8
EPSS
0.0267
EPSS Percentile
86.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (43)
apache/chainsaw
< 2.1.0
apache/log4j
1.2 - 2.0
Apache Software Foundation/Apache Log4j 1.x
1.2.1 - unspecified
Apache Software Foundation/Apache Log4j 1.x
unspecified - 2.0-alpha1
log4j/log4j
0Maven
oracle/advanced_supply_chain_planning
12.1
oracle/advanced_supply_chain_planning
12.2
oracle/business_intelligence
5.9.0.0.0
oracle/business_intelligence
12.2.1.3.0
oracle/business_intelligence
12.2.1.4.0
... and 33 more
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026