9.8
CVE-2022-25845
- EPSS 17.77%
- Veröffentlicht 10.06.2022 20:15:08
- Zuletzt bearbeitet 21.11.2024 06:53:06
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
LoginDeserialization of Untrusted Data
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oracle ≫ Communications Cloud Native Core Unified Data Repository Version22.2.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 17.77% | 0.968 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| report@snyk.io | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
https://github.com/alibaba/fastjson/releases/tag/1.2.83
https://github.com/alibaba/fastjson/wiki/security_update_20220523
https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
https://www.ddosi.org/fastjson-poc/