CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode

First published: Wed Jan 08 2025(Updated: )

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

Credit: security@apache.org security@apache.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/oss-sec
• source/oss-sec
• alias/CVE-2024-54676
• agent/title
• agent/first-publish-date
• agent/weakness
• agent/type
• agent/description
• agent/severity
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-mjf9-4pcv-vfg7
• agent/software-canonical-lookup
• agent/references
• agent/event
• agent/trending
• collector/nvd-cve
• source/NVD
• agent/author
• collector/mitre-cve
• source/MITRE
• collector/nvd-api
• agent/last-modified-date
• agent/softwarecombine
• agent/source
• agent/tags
• collector/github-advisory
• package-manager/maven
• vendor/apache
• canonical/apache openmeetings
• version/apache openmeetings/2.1