Vulnerability Details : CVE-2013-1768
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
Vulnerability category: Execute code
Products affected by CVE-2013-1768
- cpe:2.3:a:apache:openjpa:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openjpa:2.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1768
10.57%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1768
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-1768
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1768
-
http://svn.apache.org/viewvc?view=revision&revision=1462268
[Apache-SVN] Revision 1462268
-
http://svn.apache.org/viewvc?view=revision&revision=1462318
[Apache-SVN] Revision 1462318
-
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.7
-
http://svn.apache.org/viewvc?view=revision&revision=1462328
[Apache-SVN] Revision 1462328
-
http://www.securityfocus.com/bid/60534
Apache OpenJPA Object Deserialization Arbitrary File Creation or Overwrite Vulnerability
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Oracle Critical Patch Update - April 2018
-
http://svn.apache.org/viewvc?view=revision&revision=1462558
[Apache-SVN] Revision 1462558
-
http://rhn.redhat.com/errata/RHSA-2013-1862.html
RHSA-2013:1862 - Security Advisory - Red Hat Customer Portal
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PM86788
IBM notice: The page you requested cannot be displayed
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PM86791
IBM notice: The page you requested cannot be displayed
-
http://svn.apache.org/viewvc?view=revision&revision=1462488
[Apache-SVN] Revision 1462488
-
http://svn.apache.org/viewvc?view=revision&revision=1462076
[Apache-SVN] Revision 1462076
-
http://svn.apache.org/viewvc?view=revision&revision=1462225
[Apache-SVN] Revision 1462225
-
http://svn.apache.org/viewvc?view=revision&revision=1462512
[Apache-SVN] Revision 1462512
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PM86786
IBM notice: The page you requested cannot be displayed
-
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PM86780
IBM notice: The page you requested cannot be displayed
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/82268
Apache OpenJPA deserialization command execution CVE-2013-1768 Vulnerability Report
-
http://www-01.ibm.com/support/docview.wss?uid=swg21635999
IBM Security Bulletin: Potential security vulnerability in WebSphere Application Server CVE-2013-1768 PM86780
Jump to