Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SOFARPC Remote Command Execution(RCE) Vulnerbility
Vulnerability Description
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
SOFARPC 代码问题漏洞
Vulnerability Description
SOFARPC是SOFAStack的一个高性能、高扩展性、生产级的 Java RPC 框架。 SOFARPC 5.12.0之前版本存在代码问题漏洞,该漏洞源于有一个gadget链可以绕过SOFA Hessian黑名单保护机制,并且这个gadget链仅依赖于JDK,不依赖任何第三方组件。
CVSS Information
N/A
Vulnerability Type
N/A