Описание
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://access.redhat.com/errata/RHSA-2018:1607
- https://access.redhat.com/errata/RHSA-2018:1608
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149
- http://www.securityfocus.com/bid/100591
Связанные уязвимости
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Applica ...
Уязвимость метода doFilter в ReadOnlyAccessFilter HTTP платформы JBoss Enterprise Application Platform, позволяющая нарушителю выполнить произвольный код