Lucene search
K

8 matches found

CVE
CVE
added 2024/12/25 10:6 a.m.1756 views

CVE-2024-52046

CVE-2024-52046 affects Apache MINA ObjectSerializationDecoder deserializing data via Java’s native protocol. Affected MINA core versions: 2.0.x, 2.1.x, 2.2.x; fixed in MINA core releases 2.0.27, 2.1.10 and 2.2.4. The issue only matters if IoBuffer#getObject() is invoked (e.g., when a ProtocolCode...

10CVSS7.4AI score0.23932EPSS
CVE
CVE
added 2019/10/01 7:39 p.m.213 views

CVE-2019-0231

CVE-2019-0231 affects Apache MINA: handling of the TLS close_notify does not close the underlying connection, leaving the socket open and potentially allowing the client to receive cleartext data after termination. The vulnerability is documented across multiple sources, including IBM and GHSA re...

7.5CVSS7.4AI score0.02201EPSS
CVE
CVE
added 2021/11/01 8:35 a.m.152 views

CVE-2021-41973

CVE-2021-41973 affects Apache MINA, where a specially crafted HTTP request can cause the HTTP Header decoder to loop indefinitely, leading to a denial of service. The root cause is the decoder assuming headers begin at the buffer start and looping if extra data is present. Mitigation: upgrade MIN...

6.5CVSS6.4AI score0.04332EPSS
CVE
CVE
added 2026/06/03 9:39 a.m.110 views

CVE-2026-47065

CVE-2026-47065 (Apache MINA context) describes two deserialization bypass issues: first, resolveProxyClass bypasses the accept/allow-list when JDK resolves proxy interfaces from a serialized proxy via ObjectInputStream.readProxyDesc(), and second, readClassDescriptor triggers static initializers ...

9.8CVSS5.8AI score0.00468EPSS
CVE
CVE
added 2026/05/01 10:0 a.m.77 views

CVE-2026-42779

CVE-2026-42779 affects Apache MINA’s AbstractIoBuffer.resolveClass(), where one branch bypasses the classname allowlist and permits arbitrary class loading, enabling potential remote code execution via IoBuffer.getObject(). Affected are MINA 2.1.0–2.1.11 and 2.2.0–2.2.6. The issue is fixed by int...

9.8CVSS6AI score0.00902EPSS
CVE
CVE
added 2026/04/27 9:20 a.m.42 views

CVE-2026-41409

Apache MINA is affected by CVE-2026-41409 due to an incomplete fix for CVE-2024-52046 in AbstractIoBuffer.getObject(). The classname allowlist for deserialization was enforced too late after a class static initializer could already run. Affected versions: MINA 2.0.0–2.0.27, 2.1.0–2.1.10, 2.2.0–2....

9.8CVSS5.3AI score0.00451EPSS
CVE
CVE
added 2026/05/01 10:1 a.m.32 views

CVE-2026-42778

Apache MINA CVE-2026-42778 affects IoBuffer.getObject() deserialization. Affected: MINA 2.1.0–2.1.11 and 2.2.0–2.2.6 (also 2.1.0–2.1.110 in one note). Root cause: incomplete earlier fix for CVE-2024-52046; classname allowlist was applied too late. Impact: deserialization of untrusted data via IoB...

9.8CVSS5.8AI score0.00657EPSS
CVE
CVE
added 2026/04/27 8:59 a.m.28 views

CVE-2026-41635

Summary: CVE-2026-41635 affects Apache MINA’s AbstractIoBuffer.resolveClass(), where one code path for static/primitive types neglects the class check and bypasses the classname allowlist, enabling arbitrary code execution through object deserialization. Impact and scope: Affects MINA versions 2....

9.8CVSS5.6AI score0.0064EPSS