### Critical Vulnerability Information #### Vulnerability Overview - **Vulnerability Name**: jooby-pac4j: deserialization of untrusted data - **CVE ID**: CVE-2023-31129 - **CVSS Score**: 8.8/10 (High) - **Release Date**: Yesterday #### Affected Scope - **Affected Versions**: [2.16.4, 3.6.1] - **Fixed Versions**: [2.17.0, 3.7.0] #### Description In `io.jooby:jooby-pac4j` versions 2.x and 3.x, there is an issue involving deserialization of untrusted data. This could lead to remote code execution. #### Cause In the `SessionStoreImpl#get` method, when processing sessions, if a value starts with "b64-", it attempts to deserialize that value, resulting in deserialization of untrusted data. #### Workarounds - Avoid using `io.jooby:jooby-pac4j` until it is patched. - Review the values you store and retrieve in sessions. #### Reference Links - Version 2.x: [GitHub Link](https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L139-L45) - Version 3.x: [GitHub Link](https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84) #### Exploitation Example The screenshot demonstrates a successful exploitation of the vulnerability by passing specific parameters, resulting in the execution of a calculator program.