Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
CVE ID: CVE-2024-54676
Vendor: Apache Software Foundation
Product: Apache OpenMeetings
EPSS Score: 0.18% (probability of being exploited)
EPSS Percentile: 55.53% (scored less or equal to compared to others)
EPSS Date: 2025-02-06 (when was this score calculated)