Lucene search
K

6 matches found

Github Security Blog
Github Security Blog
added 2026/06/10 12:31 a.m.8 views

In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

8.1CVSS5.4AI score0.00489EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/09 11:49 p.m.37 views

CVE-2026-41731 In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

8.1CVSS0.00489EPSS
Exploits0References1
Spring Security Advisories
Spring Security Advisories
added 2026/06/09 12:0 a.m.5 views

CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

8.1CVSS5.9AI score0.00489EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/23 9:43 a.m.8 views

CVE-2024-23682

Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code...

8.2CVSS8.4AI score0.0035EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2024/11/14 12:0 a.m.6 views

PT-2024-10579 · Google · Android

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is related to the autofill service, where the package name provided by the app process is trusted inappropriately. This could lead to...

5.5CVSS8.7AI score0.00085EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2022/02/09 12:0 a.m.5 views

PT-2022-28163 · Apache · Maven Enforcer Plugin

Name of the Vulnerable Software and Affected Versions: Artemis Java Test Sandbox versions prior to 1.8.0 Description: The issue allows an attacker to escape the sandbox by including class files in a package that Ares trusts, enabling the execution of arbitrary Java code when a victim runs the...

8.2CVSS8.3AI score0.0035EPSS
Exploits1References13
Rows per page
Query Builder