GHSA-7c5v-895v-w4q5

Опубликовано: 01 апр. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

jooby-pac4j: deserialization of untrusted data

Impact

Versions after 2.x and before 3.x of io.jooby:jooby-pac4j can cause deserialization of untrusted data

Patches

2.17.0 (2.x)
3.7.0 (3.x)

Workarounds

Not using io.jooby:jooby-pac4j until it gets patches.
Check what values you put/save on session

References

Version 2.x:

https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L39-L45

Version 3.x: https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84

Cause

In module pac4j io.jooby.internal.pac4j.SessionStoreImpl#get , it is used to handle sessions , and trying to get key value. In strToObject function ,it's trying to deserialize value when value starts with "b64~" , which might cause deserialization of untrusted data.

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java

Here's a small demo using SessionStoreImpl#get to handle sessions ,and user can pass parameters.

屏幕截图 2025-03-25 051325

And following below is exploiting successfully(execute calculator)

屏幕截图 2025-03-24 015128（1）

Ссылки

Пакеты

Наименование

io.jooby:jooby-pac4j

maven

Затронутые версииВерсия исправления

< 2.17.0

2.17.0

Наименование

io.jooby:jooby-pac4j

maven

Затронутые версииВерсия исправления

>= 3.0.0.M1, < 3.7.0

3.7.0

EPSS

Процентиль: 63%

0.00452

Низкий

8.8 High

CVSS3

CVE ID

CVE-2025-31129

Дефекты

CWE-502

Связанные уязвимости

CVE-2025-31129

CVSS3: 8.8

nvd

10 месяцев назад

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

EPSS

Процентиль: 63%

0.00452

Низкий

8.8 High

CVSS3

CVE ID

CVE-2025-31129

Дефекты

CWE-502