Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SOFARPC Remote Command Execution (RCE) Vulnerability
Vulnerability Description
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)
Vulnerability Title
SOFARPC 安全漏洞
Vulnerability Description
SOFARPC是SOFAStack的一个高性能、高扩展性、生产级的 Java RPC 框架。 SOFARPC 5.11.0之前版本存在安全漏洞,该漏洞源于容易受到远程命令执行的攻击,攻击者可以利用某些本机JDK类和常见的第三方包来构建能够实现JNDI注入或系统命令执行攻击的gadget链。
CVSS Information
N/A
Vulnerability Type
N/A