Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Redisson unsafe deserialization vulnerability
Vulnerability Description
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Redisson 代码问题漏洞
Vulnerability Description
Redisson是Redisson开源的一个Java驻内存数据网格。 Redisson 3.22.0版本存在代码问题漏洞,该漏洞源于从 Redis 服务器接收到的一些消息包含客户端反序列化的 Java 对象,而无需进一步验证,攻击者利用该漏洞可以在其响应中包含特制的对象,这些对象一旦被客户端反序列化,就会强制其执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A