CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.6%
SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.
Fixed this issue by update blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue.
You can maintain a blacklist yourself in this directory external/serialize.blacklist
.
Vendor | Product | Version | CPE |
---|---|---|---|
com.alipay.sofa | hessian | * | cpe:2.3:a:com.alipay.sofa:hessian:*:*:*:*:*:*:*:* |