Incomplete List of Disallowed Inputs in SOFA-Hessian

GHSA-pfwp-8pq4-g7pv · CVE-2019-9212

Published Mar 6, 2019 · Modified Mar 21, 2024

Description

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-9212
WEB https://github.com/alipay/sofa-hessian/issues/34
ADVISORY https://github.com/advisories/GHSA-pfwp-8pq4-g7pv
PACKAGE https://github.com/alipay/sofa-hessian

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes