{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T01:18:30.569","vulnerabilities":[{"cve":{"id":"CVE-2023-39913","sourceIdentifier":"security@apache.org","published":"2023-11-08T08:15:08.883","lastModified":"2025-02-13T17:16:54.320","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n  *  the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n  *  the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;\n  *  the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n  *  the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n  *  the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf.  https://openjdk.org/jeps/290  and  https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n  *  org.apache.uima.cas.impl.CASCompleteSerializer\n  *  org.apache.uima.cas.impl.CASMgrSerializer\n  *  org.apache.uima.cas.impl.CASSerializer\n  *  java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n  *  org.apache.uima.collection.impl.cpm.CheckpointData\n  *  org.apache.uima.util.ProcessTrace\n  *  org.apache.uima.util.impl.ProcessTrace_impl\n  *  org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version."},{"lang":"es","value":"Deserialización de datos que no son de confianza, vulnerabilidad de validación de entrada incorrecta en Apache UIMA Java SDK. Este problema afecta a Apache UIMA Java SDK: anterior a 3.5.0. Se recomienda a los usuarios actualizar a la versión 3.5.0, que soluciona el problema. Hay varias ubicaciones en el código donde los objetos Java serializados se deserializan sin verificar los datos. Esto afecta en particular: * a la deserialización de un CAS serializado en Java, pero también a otros formatos binarios de CAS que incluyen información TSI utilizando la clase CasIOUtils; * el complemento CAS Editor Eclipse que utiliza la clase CasIOUtils para cargar datos; * la deserialización de un CAS serializado en Java del servicio Vinci Analysis Engine que puede recibir objetos CAS serializados en Java a través de conexiones de red; * el CasAnnotationViewerApplet y el CasTreeViewerApplet; * la función de puntos de control del módulo CPE. Tenga en cuenta que el framework UIMA de forma predeterminada no inicia ningún servicio accesible de forma remota (es decir, Vinci) que sería vulnerable a este problema. Un usuario o desarrollador tendría que tomar una decisión activa para iniciar dicho servicio. Sin embargo, los usuarios o desarrolladores pueden utilizar CasIOUtils en sus propias aplicaciones y servicios para analizar datos CAS serializados. Se ven afectados por este problema a menos que se aseguren de que los datos pasados a CasIOUtils no sean un objeto Java serializado. Cuando se utiliza Vinci o CasIOUtils en servicios/aplicaciones propios, la deserialización sin restricciones de archivos CAS serializados en Java puede permitir la ejecución de código arbitrario (remoto). Como solución, es posible configurar un ObjectInputFilter global o específico del contexto (cf. https://openjdk.org/jeps/290 y https://openjdk.org/jeps/415) si se ejecuta UIMA en un sistema Java versión que lo soporta. Tenga en cuenta que Java 1.8 no es compatible con ObjectInputFilter, por lo que no hay solución cuando se ejecuta en esta plataforma que no es compatible. Se recomienda encarecidamente actualizar a una versión reciente de Java si necesita proteger una versión de UIMA afectada por este problema. Para mitigar el problema en una plataforma Java 9+, puede configurar un patrón de filtro a través de la propiedad del sistema \"jdk.serialFilter\" usando un punto y coma, como separador: Para permitir deserializar CAS binarios serializados en Java, agregue las clases: * org.apache .uima.cas.impl.CASCompleteSerializer * org.apache.uima.cas.impl.CASMgrSerializer * org.apache.uima.cas.impl.CASSerializer * java.lang.String Para permitir la deserialización de datos de CPE Checkpoint, agregue las siguientes clases ( y cualquier clase personalizada que su aplicación utilice para almacenar sus puntos de control): * org.apache.uima.collection.impl.cpm.CheckpointData * org.apache.uima.util.ProcessTrace * org.apache.uima.util.impl.ProcessTrace_impl * org.apache.uima.collection.base_cpm.SynchPoint Asegúrese de utilizar \"!*\" como componente final del patrón de filtro para no permitir la deserialización de cualquier clase que no figure en el patrón. Apache UIMA 3.5.0 utiliza ObjectInputFilters de alcance estricto al leer datos serializados en Java, según el tipo de datos que se espera. No es necesario configurar un filtro global con esta versión."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*","versionEndExcluding":"3.5.0","matchCriteriaId":"C0660629-7E58-403B-BB1E-AC1F7ACD65E9"}]}]}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2023/11/08/1","source":"security@apache.org","tags":["Mailing List"]},{"url":"https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4","source":"security@apache.org","tags":["Mailing List"]},{"url":"http://www.openwall.com/lists/oss-security/2023/11/08/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}