Lucene search

Veracode Vulnerability DatabaseVERACODE:44576

HistoryDec 05, 2023 - 9:09 a.m.

Remote Code Execution

2023-12-0509:09:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

remote code execution

org.noear

solon.serialization.fury

furyactionexecutor

changebody method

deserialization

validation

arbitrary code

attacker

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

org.noear, solon.serialization.fury is vulnerable to Remote Code Execution. The vulnerability exists in FuryActionExecutor class in the changeBody method because it blindly deserializes data without validation which allows an attacker to inject and execute arbitrary code.

CPENameOperatorVersion
solon.serialization.furyle2.7.1
solon.serialization.furyle2.7.1

CPE	Name	Operator	Version
	solon.serialization.fury	le	2.7.1
	solon.serialization.fury	le	2.7.1

References

github.com/advisories/GHSA-vwgg-2q82-38c5

github.com/noear/solon/issues/226

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

Related for VERACODE:44576