Mina Security Vulnerabilities and Issues — Mina CVE List

ApacheMina

7 matches found

CVE•added 2024/12/25 10:6 a.m.•1742 views

CVE-2024-52046

CVE-2024-52046 affects Apache MINA ObjectSerializationDecoder deserializing data via Java’s native protocol. Affected MINA core versions: 2.0.x, 2.1.x, 2.2.x; fixed in MINA core releases 2.0.27, 2.1.10 and 2.2.4. The issue only matters if IoBuffer#getObject() is invoked (e.g., when a ProtocolCode...

10CVSS7.4AI score0.55384EPSS

CVE•added 2019/10/01 7:39 p.m.•210 views

CVE-2019-0231

CVE-2019-0231 affects Apache MINA: handling of the TLS close_notify does not close the underlying connection, leaving the socket open and potentially allowing the client to receive cleartext data after termination. The vulnerability is documented across multiple sources, including IBM and GHSA re...

7.5CVSS7.4AI score0.00707EPSS

CVE•added 2021/11/01 8:35 a.m.•147 views

CVE-2021-41973

CVE-2021-41973 affects Apache MINA, where a specially crafted HTTP request can cause the HTTP Header decoder to loop indefinitely, leading to a denial of service. The root cause is the decoder assuming headers begin at the buffer start and looping if extra data is present. Mitigation: upgrade MIN...

6.5CVSS6.4AI score0.02154EPSS

CVE•added 2026/05/01 10:0 a.m.•31 views

CVE-2026-42779

CVE-2026-42779 affects Apache MINA’s AbstractIoBuffer.resolveClass(), where one branch bypasses the classname allowlist and permits arbitrary class loading, enabling potential remote code execution via IoBuffer.getObject(). Affected are MINA 2.1.0–2.1.11 and 2.2.0–2.2.6. The issue is fixed by int...

9.8CVSS6AI score0.00083EPSS

CVE•added 2026/04/27 9:20 a.m.•18 views

CVE-2026-41409

Apache MINA is affected by CVE-2026-41409 due to an incomplete fix for CVE-2024-52046 in AbstractIoBuffer.getObject(). The classname allowlist for deserialization was enforced too late after a class static initializer could already run. Affected versions: MINA 2.0.0–2.0.27, 2.1.0–2.1.10, 2.2.0–2....

9.8CVSS5.3AI score0.00278EPSS

CVE•added 2026/04/27 8:59 a.m.•15 views

CVE-2026-41635

Summary: CVE-2026-41635 affects Apache MINA’s AbstractIoBuffer.resolveClass(), where one code path for static/primitive types neglects the class check and bypasses the classname allowlist, enabling arbitrary code execution through object deserialization. Impact and scope: Affects MINA versions 2....

9.8CVSS5.6AI score0.00059EPSS

CVE•added 2026/05/01 10:1 a.m.•15 views

CVE-2026-42778

Apache MINA CVE-2026-42778 affects IoBuffer.getObject() deserialization. Affected: MINA 2.1.0–2.1.11 and 2.2.0–2.2.6 (also 2.1.0–2.1.110 in one note). Root cause: incomplete earlier fix for CVE-2024-52046; classname allowlist was applied too late. Impact: deserialization of untrusted data via IoB...

9.8CVSS5.8AI score0.00287EPSS