Lucene search
PRIOn knowledge basePRION:CVE-2024-23636HistoryJan 23, 2024 - 6:15 p.m.
Deserialization of untrusted data
2024-01-2318:15:00
PRIOn knowledge base
www.prio-n.com
5
sofarpc
java
rpc
framework
untrusted data
deserialization
vulnerability
fix
sofa hessian
blacklist
protection
mechanism
gadget chain
jdk
third-party
components
version 5.12.0
additional
blacklists
nvd
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.
Related
osv
osv
Remote Command Execution in SOFARPC
2024-01-23 20:10:20
CVE-2024-23636
2024-01-23 18:15:19
cve
cve
CVE-2024-23636
2024-01-23 18:15:19
cvelist
cvelist
CVE-2024-23636 SOFARPC Remote Command Execution(RCE) Vulnerbility
2024-01-23 17:22:52
nvd
nvd
CVE-2024-23636
2024-01-23 18:15:19
veracode
veracode
Remote Code Execution
2024-01-24 07:23:50
github
github
Remote Command Execution in SOFARPC
2024-01-23 20:10:20