Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pre-auth unsafe deserialization in ZStack
Vulnerability Description
ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be deserialized and therefore will be able to instantiate an arbitrary type and assign arbitrary values to its fields. This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution. For additional details see the referenced GHSL-2021-087.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
ZStack 代码问题漏洞
Vulnerability Description
ZStack是一个开源 IaaS(基础设施即服务)软件,旨在自动化数据中心,通过 API 管理计算、存储和网络资源。 Zstack 存在代码问题漏洞,该漏洞源于在 3.10.12 和 4.1.6 版本之前的 ZStack 中,REST API 中存在预认证不安全反序列化漏洞。
CVSS Information
N/A
Vulnerability Type
N/A