Severity: Affected versions:
- Apache MINA (org.apache.mina:mina.core) 2.2.0 through 2.2.5 - Apache MINA (org.apache.mina:mina.core) 2.1.0 through 2.1.10 - Apache MINA (org.apache.mina:mina.core) 2.0.0 through 2.0.27 Description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. <br> <br> Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. <br> <br> The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. <br> <br> Affected are applications using Apache MINA that call IoBuffer.getObject(). <br> <br> Applications using Apache MINA are advised to upgrade.<br> Credit: Venkatraman Kumar, Securin (reporter) References: https://mina.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-41409 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
