The resolveClass() method in Apache MINA AbstractIoBuffer lacks proper class validation for static classes and primitive types, allowing attackers to bypass the existing classname allowlist. This flaw enables arbitrary code execution when an application uses the vulnerable IoBuffer.getObject() method. All unpatched affected versions are exposed to remote exploitation by malicious actors.
Remediation
Upgrade Apache MINA to the patched versions 2.0.28, 2.1.11, or 2.2.6 immediately. If an immediate upgrade is not possible, restrict access to applications that call IoBuffer.getObject() and block untrusted input to vulnerable endpoints.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.