GHSA-pfwp-8pq4-g7pv

Source

https://github.com/advisories/GHSA-pfwp-8pq4-g7pv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-pfwp-8pq4-g7pv/GHSA-pfwp-8pq4-g7pv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pfwp-8pq4-g7pv

Aliases

CVE-2019-9212

Published

2019-03-06T17:36:08Z

Modified

2024-03-21T16:59:13.340238Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Incomplete List of Disallowed Inputs in SOFA-Hessian

Details

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget.

Database specific

{
    "nvd_published_at": "2019-02-27T17:29:00Z",
    "cwe_ids": [
        "CWE-184",
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:49:03Z"
}

References

Affected packages

Maven / com.alipay.sofa:hessian

Package

Name: com.alipay.sofa:hessian; View open source insights on deps.dev
Purl: pkg:maven/com.alipay.sofa/hessian

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.2

Affected versions

4.*

4.0.0

4.0.1

Maven / com.alipay.sofa:hessian

Package

Name: com.alipay.sofa:hessian; View open source insights on deps.dev
Purl: pkg:maven/com.alipay.sofa/hessian

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.6

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5