3 matches found
Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the AbstractIoBuffer.resolveClass method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing ...
Unsafe Deserialization
Apache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to incomplete enforcement of a classname allowlist in AbstractIoBuffer.resolveClass, where certain branches e.g., for primitive or static classes bypass validation and call Class.forName without checks, allowing attacke...
CVE-2026-41409
A flaw was found in Apache MINA. An incomplete fix for a deserialization vulnerability in the AbstractIoBuffer.getObject method allowed a static initializer in a class to be executed before the classname allowlist was applied. This could enable a remote attacker to execute arbitrary code by sendi...