237 matches found
The vulnerability of the AutoTypeCheck mechanism in the Fastjson programming language library allows a perpetrator to execute arbitrary code.
The vulnerability of the AutoTypeCheck mechanism in the Fastjson programming language library is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code...
Deserialization of untrusted data by Fastjson library leads to RCE
Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary Applications using the Fastjson java library are impacted by remote code execution vulnerability...
High-Severity RCE Vulnerability Reported in Popular Fastjson Library
Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 CVSS score: 8.1, the issue relates to a case of deserialization of...
ai.houyi:dorado (>=0.0.1 <=0.0.8), ai.houyi:dorado-core (>=0.0.11 <=0.0.51) +12039 more potentially affected by CVE-2022-25845 via com.alibaba:fastjson (>=1.2.25 <=1.2.80)
com.alibaba:fastjson MAVEN version =1.2.25, =0.0.1, =0.0.11, =0.0.16, =0.0.1, =0.0.14, =0.0.47, =0.0.14, =0.1.1, =2.1.0, =2.1.0, =Finchley.SR2.SR1, =Finchley.SR4, =j8.2.2.0, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =j11.2.6.0 and more Source cves: CVE-2022-25845 Source advisory: OSV:GHSA-PV7H-HX5H-M...
CVE-2022-25845
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not...
Fastjson 代码问题漏洞
Fastjson is a Java-based fast JSON parser/generator. versions prior to Fastjson 1.2.83 have a security vulnerability that stems from the ease of bypassing the default autoType off restriction to deserialize untrusted data, which is exploited by attackers to cause code execution...
Unsafe deserialization in com.alibaba:fastjson
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not...
ai.houyi:dorado (>=0.0.1 <=0.0.8), ai.houyi:dorado-core (>=0.0.11 <=0.0.51) +12735 more potentially affected by CVE-2022-25845 via com.alibaba:fastjson (>=1.1.15 <=1.2.80)
com.alibaba:fastjson MAVEN version =1.1.15, =0.0.1, =0.0.11, =0.0.16, =0.0.1, =0.0.14, =0.0.47, =0.0.14, =0.1.1, =2.1.0, =2.1.0, =Finchley.SR2.SR1, =Finchley.SR4, =j8.2.2.0, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =j11.2.6.0 and more Source cves: CVE-2022-25845 Source advisory:...
Deserialization of Untrusted Data
Overview com.alibaba:fastjson is a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows...
Fastjson Remote Code Execution Vulnerability (CNVD-2022-40233)
Fastjson is an open source JSON parsing library , it can parse JSON format strings , support for Java Bean serialized to JSON strings , you can also deserialize from JSON strings to JavaBean. Fastjson has a remote code execution vulnerability that can be exploited by an attacker to bypass the...
PT-2022-2951
Name of the Vulnerable Software and Affected Versions com.alibaba:fastjson versions prior to 1.2.83 Description The vulnerability is related to the deserialization of untrusted data by bypassing the default autoType shutdown restrictions in the Fastjson library. This can be exploited under certai...
JNDI-Injection-Exploit - A Tool Which Generates JNDI Links Can Start Several Servers To Exploit JNDI Injection Vulnerability
JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on marshals and modified further to link with HTTP server. Using this tool allows you get JNDI links, you ca...
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
CVE-2020-8840 Jackson-databind远程代码执行漏洞(CVE-2020-8840)分析复现环境代码。 项目包含: jackson-databind、Fastjson中payload WebServer恶意类 编译好的marshalsec-0.0.3-SNAPSHOT-all.jar 漏洞简介 Jackson-databind远程代码执行漏洞(CVE-2020-8840),攻击者可利用xbean-reflect的利用链(org.apache.xbean.propertyeditor.JndiConverter)触发JNDI远程类加载从而达到远程代码执行。...
Exploit for Improper Encoding or Escaping of Output in F5 Nginx
This is an offensive tool for web application security training. It is a collection of vulnerable web applications, each with its own set of vulnerabilities, designed to help users learn and practice web application security testing. The repository contains a variety of web applications, includin...
MCMS fastjson解析RCE漏洞
...
vulhub
This repository is an offensive tool for a collection of vulnerable environments and applications, referred to as "Vulhub". It is a collection of Docker images and scripts that simulate various web applications and systems with known vulnerabilities, allowing users to practice and learn about...
GitHub Security Lab: Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc
This bug was reported directly to GitHub Security Lab...
Arbitrary Code Execution
Fastjson is vulnerable to arbitrary code execution. A deserialization vulnerability exists within the JSON parser and allows the attacker to execute arbitrary code on the host OS...
vulhub
This is an open-source collection of pre-built vulnerable docker environments. It is not a PoC exploit for a specific CVE, but rather a toolkit for testing and demonstrating vulnerabilities. The repository contains a variety of vulnerable environments, including ones for Flask, Apache, and Jenkin...
fastjson:fuzz: Crash with empty stacktrace
Detailed Report: https://oss-fuzz.com/testcase?key=6259722731388928 Project: fastjson Fuzzing Engine: libFuzzer Fuzz Target: fuzz Job Type: libfuzzerasanfastjson Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000039118 Crash State: NULL Sanitizer: address ASAN Recommended Securit...