37 matches found
EUVD-2024-2768
Malicious code in bioql PyPI...
CVE-2023-35839
A bypass in the component sofa-hessian of Solon before v2.3.3 allows attackers to execute arbitrary code via providing crafted payload...
CVE-2024-23636
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...
CVE-2024-46983
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blackli...
Remote Code Execution
com.alipay.sofa:hessian is vulnerable to Remote Code Execution. The vulnerability is due to a gadget chain that bypasses the SOFA Hessian protocol's blacklist protection mechanism. This gadget chain relies solely on JDK classes and does not require any third-party components. The issue is fixed i...
CVE-2024-46983
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blackli...
CVE-2024-46983
CVE-2024-46983 affects sofa-hessian (SOFA Hessian) where a gadget chain bypasses the blacklist that restricts deserialization. The vulnerability enables a dangerous chain using only JDK classes, with no third-party component reliance stated. The issue is addressed by updating the blacklist; upgra...
CVE-2024-46983 Remote Command Execution(RCE) Vulnerbility in sofa-hessian
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blackli...
CVE-2024-46983 Remote Command Execution(RCE) Vulnerbility in sofa-hessian
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blackli...
CVE-2024-46983 Remote Command Execution(RCE) Vulnerbility in sofa-hessian
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blackli...
SOFA Hessian Remote Command Execution (RCE) Vulnerability
Impact SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on...
GHSA-C459-2M73-67HJ SOFA Hessian Remote Command Execution (RCE) Vulnerability
Impact SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on...
PT-2024-32317
Name of the Vulnerable Software and Affected Versions sofahessian versions prior to 3.5.5 Description The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. However, there is a gadget chain that can bypass the SOF...
SOFA-Hessian 注入漏洞
SOFA-Hessian is an open source binary serialization protocol. An injection vulnerability exists in SOFA-Hessian versions prior to 3.5.4, which stems from the presence of a deserialization vulnerability that allows bypassing the blacklisting mechanism...
Remote Code Execution
com.alipay.sofa, sofa-rpc-all is vulnerable to Remote Code Execution. The vulnerability is caused due to insufficient blacklist mechanism to restrict deserialization of potentially dangerous classes within the SOFA Hessian protocol. An attacker can exploit this to bypass the SOFA Hessian blacklis...
Remote Command Execution in SOFARPC
Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian...
CVE-2024-23636
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...
Deserialization of untrusted data
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...
CVE-2024-23636 SOFARPC Remote Command Execution(RCE) Vulnerbility
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...
CVE-2024-23636
SOFARPC (Java RPC framework) is vulnerable prior to version 5.12.0 due to a gadget chain that can bypass the Hessian blacklist used to restrict deserialization of potentially dangerous classes. The vulnerability is rooted in the Hessian-based deserialization thatCAN be manipulated by a gadget cha...