Описание
A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.14.2 (исключая)
cpe:2.3:a:taoensso:nippy:*:*:*:*:*:*:*:*
EPSS
Процентиль: 35%
0.00141
Низкий
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-502
Связанные уязвимости
EPSS
Процентиль: 35%
0.00141
Низкий
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-502