Описание
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
A flaw was found in Fastjson, a popular Java library for converting Java objects to JSON and vice versa. This vulnerability allows a remote attacker to execute arbitrary code on a system by sending a specially crafted JSON document. The issue stems from Fastjson's "autoType" feature, which, when mishandled, can lead to Java Naming and Directory Interface (JNDI) injection. This allows an attacker to inject and execute malicious code, posing a critical risk to affected systems. This flaw has been actively exploited in real-world attacks.
Отчет
In the Red Hat context, this vulnerability is rated Not Affected because the vulnerable code is not present in Red Hat products.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/ratelimit-rhel8 | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | fastjson | Not affected | ||
| Red Hat build of Debezium 2 | fastjson | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
10 Critical
CVSS3
Связанные уязвимости
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
FASTJSON Includes Functionality from Untrusted Control Sphere
10 Critical
CVSS3