12 matches found
com.baoquan:verax-sdk (=1.0.0), com.easypayx:easypay-blockchain-java-sdk (>=1.0.0 <=1.0.4) +21 more potentially affected by CVE-2026-41586 via org.hyperledger.fabric-sdk-java:fabric-sdk-java (>=1.0.1 <=2.2.8)
org.hyperledger.fabric-sdk-java:fabric-sdk-java MAVEN version =1.0.1, =1.0.0, =1.0.0-RELEASE, =1.0.0-RELEASE, =0.0.1, =1.0.0, =1.0.0, =1.0, =3.16.1, =1.2.0, =1.3.0, =0.10.1, =014.1 and more Source cves: CVE-2026-41586 Source advisory: SNYK:JAVA-ORGHYPERLEDGERFABRICSDKJAVA-16439197...
Deserialization of Untrusted Data
Overview org.hyperledger.fabric-sdk-java:fabric-sdk-java is a Java SDK for Hyperledger Fabric. Deprecated as of Fabric v2.5, replaced by org.hyperledger.fabric:fabric-gateway. Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the deSerializeChannel...
CVE-2026-41586 ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without...
CVE-2026-41586
CVE-2026-41586 affects Hyperledger Fabric’s deprecated fabric-sdk-java (Channel.java) where readObject() is invoked on untrusted bytes without an ObjectInputFilter, enabling Java deserialization RCE. Exploitation requires crafted serialized Channel data processed by deSerializeChannel(), with hig...
com.baoquan:verax-sdk (=1.0.0), com.easypayx:easypay-blockchain-java-sdk (>=1.0.0 <=1.0.4) +21 more potentially affected by CVE-2026-41586 via org.hyperledger.fabric-sdk-java:fabric-sdk-java (>=1.0.1 <=2.2.26)
org.hyperledger.fabric-sdk-java:fabric-sdk-java MAVEN version =1.0.1, =1.0.0, =1.0.0-RELEASE, =1.0.0-RELEASE, =0.0.1, =1.0.0, =1.0.0, =1.0, =3.16.1, =1.2.0, =1.3.0, =0.10.1, =0.11.5 and more Source cves: CVE-2026-41586 Source advisory: OSV:GHSA-PRF8-CF2X-RHX7...
GHSA-PRF8-CF2X-RHX7 fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE
Summary This advisory covers the deprecated fabric-sdk-java client SDK. Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without configuring an ObjectInputFilter. This is the classic Java deserialization RCE pattern...
CVE-2024-2365 Musicshelf SHA-1 PinningTrustManager.java weak password hash
A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file io\fabric\sdk\android\services\network\PinningTrustManager.java of the component SHA-1 Handler. The manipulation leads to password hash with...
Hyperledger: Cross Site Scripting Vulnerability in fabric-sdk-py source code
See this fix on GitHub https://github.com/hyperledger/fabric-sdk-py/pull/175 Impact Some old affected versions of this package are vulnerable to Cross-site Scripting XSS. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html,...
CWE-379 in fabric-sdk-rest version All released versions (project is now archived)
In Hyperledger fabric-sdk-rest version All released versions project is now archived a CWE-379 exists in the packages/fabric-rest/fabric-rest-server script that can be attacked via Local resulting in File overwrite from a privileged user...
GSD-2021-1000003 CWE-379 in fabric-sdk-rest version All released versions (project is now archived)
In Hyperledger fabric-sdk-rest version All released versions project is now archived a CWE-379 exists in the packages/fabric-rest/fabric-rest-server script that can be attacked via Local resulting in File overwrite from a privileged user...
Hyperledger: RCE vulnerability in Hyperledger Fabric SDK for Java
Hyperledger Fabric SDK for Java version 2.0.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. In the following source code files and corresponding line number, an arbitrary file gets parsed by...
X (Formerly Twitter): Bypassing callback_url validation on Digits
Hi, I would like to report an issue in Digits which allows attacker to bypass the callbackurl validation of an application and thus takeover an account. Detail Digits is a part of the Fabric SDK which offers phone-based sign in. It also provides web login flow. In the navigation-based...