logo
DATABASE RESOURCES PRICING ABOUT US

Starbucks: Java Deserialization RCE via JBoss on card.starbucks.in

Description

The researcher discovered that a Starbucks online system running on the domain `http://card.starbucks.in/` performs deserialization of java objects that are submitted by users on a specific path belonging to JBOSSMQ without sanitizing/validating the data. As a result, an attacker can inject a malicious java object capable of running a command on the system during the deserialization process. We have immediately taken necassary mesures to patch this vulnerability and the researcher responsibly disclosed it to RedHat as well. This was assigned [CVE-2017-7504](https://access.redhat.com/security/cve/cve-2017-7504)


Related