Описание
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
A flaw was found in com.alibaba:fastjson, a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions.
Меры по смягчению последствий
Users who can not upgrade to the fixed version may enable safeMode; this completely disables the autoType function and eliminates the vulnerability risk. [https://github.com/alibaba/fastjson/wiki/fastjson_safemode]
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Integration Camel K 1 | fastjson | Affected | ||
| Red Hat Integration Camel Quarkus 1 | fastjson | Affected | ||
| Red Hat Integration Data Virtualisation Operator | fastjson | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | fastjson | Not affected | ||
| Red Hat Fuse 7.11 | fastjson | Fixed | RHSA-2022:5532 | 07.07.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Уязвимость механизма AutoTypeCheck библиотеки языка программирования Java Fastjson, позволяющая нарушителю выполнить произвольный код
EPSS
8.1 High
CVSS3