CVE-2022-24721
Description
CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom SecurityPolicy that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.cometd.java:cometd-java-oortMaven | < 5.0.11 | 5.0.11 |
org.cometd.java:cometd-java-oortMaven | >= 6.0.0, < 6.0.6 | 6.0.6 |
org.cometd.java:cometd-java-oortMaven | >= 7.0.0, < 7.0.6 | 7.0.6 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rjmq-6v55-4rjvghsaADVISORY
- github.com/cometd/cometd/issues/1146nvdIssue TrackingThird Party AdvisoryWEB
- github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjvnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-24721ghsaADVISORY
- github.com/cometd/cometd/commit/bb445a143fbf320f17c62e340455cd74acfb5929ghsaWEB
News mentions
0No linked articles in our index yet.