Lucene search

Veracode Vulnerability DatabaseVERACODE:44197

HistoryNov 09, 2023 - 5:14 a.m.

Deserialization Of Untrusted Data

2023-11-0905:14:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

uimaj-tools

deserialization

untrusted data

java objects

casioutils

remote code execution

8.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

27.3%

JSON

uimaj-tools is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to deserializing Java objects without proper data verification when users or developers utilize the CasIOUtils class in their applications and services to parse serialized CAS data. This weakness can potentially lead to remote code execution if the objects are untrusted.

CPENameOperatorVersion
uimaj-toolsle3.4.1
uimaj-toolsle3.4.1

CPE	Name	Operator	Version
	uimaj-tools	le	3.4.1
	uimaj-tools	le	3.4.1

References

www.openwall.com/lists/oss-security/2023/11/08/1

github.com/advisories/GHSA-5r8j-qmcm-7g7q

github.com/apache/uima-uimaj/commit/6a8ab16a604401c9e8ec5c5c94e94515371d324b

lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4