GHSA-f984-3wx8-grp9

Suggest an improvement
Source
https://github.com/advisories/GHSA-f984-3wx8-grp9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-f984-3wx8-grp9/GHSA-f984-3wx8-grp9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f984-3wx8-grp9
Aliases
Published
2024-08-05T21:29:22Z
Modified
2024-08-05T21:58:56.610115Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
  • 9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
XXL-RPC Deserialization of Untrusted Data vulnerability
Details

XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.

Database specific
{
    "nvd_published_at": "2023-10-18T22:15:09Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-05T21:29:22Z"
}
References

Affected packages

Maven / com.xuxueli:xxl-rpc-core

Package

Name
com.xuxueli:xxl-rpc-core
View open source insights on deps.dev
Purl
pkg:maven/com.xuxueli/xxl-rpc-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.7.0

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.6.0
1.7.0