CVE-2022-23307 in Apache and Qos Products
Published on January 18, 2022


CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Vulnerability Analysis
CVE-2022-23307 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-23307 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-23307
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-23307 are published in these products:
What versions are vulnerable to CVE-2022-23307?
-
Apache Chainsaw Fixed in Version 2.1.0
-
Apache Log4j Version 1.2 Fixed in Version 2.0
-
Qos Reload4j Fixed in Version 1.2.18.1