← voltar
CVE-2022-25845

Deserialization of Untrusted Data

CVSS 8.1 HIGHEPSS 17.8%
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
Produtos afetados
n/a · com.alibaba:fastjson

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60dhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15https://github.com/alibaba/fastjson/releases/tag/1.2.83https://github.com/alibaba/fastjson/wiki/security_update_20220523https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222https://www.ddosi.org/fastjson-poc/https://www.oracle.com/security-alerts/cpujul2022.html