{"id":"CVE-2022-24289","details":"Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.","aliases":["GHSA-c58c-w527-h77p"],"modified":"2026-04-10T04:45:20.375535Z","published":"2022-02-11T13:15:08.237Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/02/11/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cayenne","events":[{"introduced":"0"},{"fixed":"80fdee02c85bcea191931236ad8ba2c4d8f022d3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2"}]}}],"versions":["4.0.M4","4.0.M5","4.1.M1","4.1.M2","4.2.B1","4.2.M1","4.2.M2","4.2.M3","4.2.RC1","4.2.RC2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24289.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}