CVE-2024-52046

Name of the Vulnerable Software and Affected Versions Apache MINA versions 2.0.X through 2.2.X

Description The ObjectSerializationDecoder in Apache MINA lacks necessary security checks when processing incoming serialized data using Java’s native deserialization protocol. This allows attackers to send crafted malicious serialized data, potentially leading to remote code execution (RCE). The IoBuffer#getObject() method is a key component in the exploitation chain, particularly when used with the ObjectSerializationCodecFactory class.

Recommendations Upgrade to versions 2.0.27, 2.1.10, or 2.2.4. Additionally, explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance using one of the following methods: accept(ClassNameMatcher classNameMatcher), accept(Pattern pattern), or accept(String... patterns).