Home Vulnerability High-Severity RCE Vulnerability Reported in Popular Fastjson Library

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

Source Link

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.

Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called “AutoType.” It was patched by the project maintainers in version 1.2.83 released on May 23, 2022.

CyberSecurity

“This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize,” JFrog’s Uriya Yavnieli said in a write-up.

Fastjson is a Java library that’s used to convert Java Objects into their JSON representation and vice versa. AutoType, the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing a JSON input that can then be deserialized into an object of the appropriate class.

“However, if the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to a deserialization security issue, since the attacker can instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments,” Yavnieli explained.

CyberSecurity

While the project owners previously introduced a safeMode that disables AutoType and started maintaining a blocklist of classes to defend against deserialization flaws, the newly discovered flaw gets around the latter of these restrictions to result in remote code execution.

Users of Fastjson are recommended to update to version 1.2.83 or enable safeMode, which turns off the function regardless of the allowlist and blocklist used, effectively closing variants of the deserialization attack.

“Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly — target-specific research is required to find a suitable gadget class to exploit,” Yavnieli said.

Related Articles

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24edusedueduseduedueduseduedusedusedu
casinomilyon
padişahbet giriş
neyine casino giriş
lüks casino giriş
betwild giris
biabet giris
padişahbet güncel giriş
kingbetting
betwild giris
plinko romania
biabet giriş
betmatik giriş
rexbet giriş
rokubet casino
imajbet giriş
vegabet
свит бонанза
pin up aviator
sugar rush 1000
cashwin giris