CVE-2022-46366: 
Java vulnerability analysis and mitigation

Apache Tapestry 3.x contains a critical vulnerability (CVE-2022-46366) that allows deserialization of untrusted data, leading to remote code execution. The vulnerability was discovered by Ilyass El Hadi from Mandiant and disclosed on December 2, 2022. This issue affects all versions of Apache Tapestry 3.x, which is no longer supported by the maintainer. The vulnerability is similar to but distinct from CVE-2020-17531, which affects the 4.x version line (Mandiant Advisory, NVD).

The vulnerability stems from the improper handling of the 'sp' parameter's contents, which are under the end-user's control and can be deserialized. The exploitation requires specific payload modifications that differ from those needed for CVE-2020-17531 in version 4.x. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD, Mandiant Advisory).

The vulnerability has a very high impact potential, as successful exploitation could lead to complete compromise of the application's underlying server. The attacker could achieve arbitrary code execution on the affected system, potentially gaining full control over the server (Mandiant Advisory).

No official patch will be released as Apache Tapestry 3.x is End-of-Life (EOL). Users are strongly recommended to upgrade to a supported version line of Apache Tapestry (NVD, Mandiant Advisory).