CVE-2021-38241: CVE-2021-38241 - du1ge

CVE-2021-38241

Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.

In versions of the Ruoyi management system that are lower than v4.6.1, there is a problem that hard-coded shiro keys can be used by attackers to deserialize the default keys to execute commands.

> [VulnerabilityType Other]
>> RCE (Remote command execution)
---------------------------------------------------------------
> [Affected Component]
>> All exp and details in: CVE-2021-38241 - du1ge
---------------------------------------------------------------
> [Attack Type]
>> Remote
---------------------------------------------------------------
> [Impact Code execution]
>> true
---------------------------------------------------------------
> [Attack Vectors]
>> Shiro deserialization’s poc is effective. Use AES GCM’s poc.
---------------------------------------------------------------
> [Discoverer]
>> du1ge
---------------------------------------------------------------
> [Reference]
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
>> https://gitee.com/y_project/RuoYi

>> CVE-2021-38241 - du1ge
---------------------------------------------------------------
> [Vendor of Product]
>> yangzongzhuan/RuoYi: (RuoYi)官方仓库 基于SpringBoot的权限管理系统 易读易懂、界面简洁美观。 核心技术采用Spring、MyBatis、Shiro没有任何其它重度依赖。直接运行即可用 (github.com)
---------------------------------------------------------------
> [Affected Product Code Base]
>> Ruoyi <= v4.6.1
---------------------------------------------------------------