CVE-2023-41331

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41331

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41331.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41331

Related

GHSA-chv2-7hxj-2j86

Published

2023-09-12T20:15:09Z

Modified

2025-07-29T10:58:09.342345Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat to the blacklist.

References

Affected packages

Git / github.com/sofastack/sofa-rpc

Affected ranges

Type: GIT
Repo: https://github.com/sofastack/sofa-rpc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6

Affected versions

5.*

5.10.1

v5.*

v5.10.0

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.7.0

v5.7.1

v5.7.10

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.7.8

v5.7.9

v5.8.0

v5.8.1

v5.8.2

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.9.0

v5.9.1

v5.9.2