Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

N/A

可信数据的反序列化

Bio-Formats 代码问题漏洞

Bio-Formats是Open Microscopy Environment开源的一个读取和写入各种显微成像专有文件格式的Java库。 Bio-Formats 8.3.0及之前版本存在代码问题漏洞，该漏洞源于对攻击者控制的.bfmemo缓存文件执行不安全的Java反序列化，可能导致拒绝服务、逻辑操纵或远程代码执行。

N/A

N/A