Headline
CVE-2023-40571: 报告weblogic-framework 0.2.3版本存在任意代码执行漏洞
weblogic-framework is a tool for detecting weblogic vulnerabilities. Versions 0.2.3 and prior do not verify the returned data packets, and there is a deserialization vulnerability which may lead to remote code execution. When weblogic-framework gets the command echo, it directly deserializes the data returned by the server without verifying it. At the same time, the classloader loads a lot of deserialization calls. In this case, the malicious serialized data returned by the server will cause remote code execution. Version 0.2.4 contains a patch for this issue.
Package
No package listed
Affected versions
<=0.2.3
Description
Summary
weblogic-framework 0.2.3版本没有对返回的数据包做校验,存在反序列化漏洞,可能会导致远程代码执行。
Details
weblogic-framework 0.2.3版本在获取命令回显的时候,没有对服务端返回的数据做校验就直接反序列化了,同时weblogic-framework 0.2.3版本classloader又加载了很多存在反序列化调用链的jar包,这种情况下服务端返回恶意的序列化数据会导致weblogic-framework 0.2.3客户端产生远程代码执行漏洞。
Impact
weblogic-framework 0.2.3版本