CVE-2024-54676

CRITICAL

Apache Openmeetings < 8.0.0 - Insecure Deserialization

Title source: rule

Description

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

References (2)

[Vendor Advisory] https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95

[Mailing List] http://www.openwall.com/lists/oss-security/2025/01/08/1

Scores

CVSS v3 9.8

EPSS 0.0612

EPSS Percentile 90.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/openmeetings < 8.0.0

org.apache.openmeetings/openmeetings-parent < 8.0.0Maven

Timeline

Published Jan 08, 2025

Tracked Since Feb 18, 2026