[CXF-6711] Aegis Databinding Deserialization Vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.4
Fix Version/s: 3.1.5, 3.0.8
Component/s: Aegis Databinding
Labels:
None

Estimated Complexity:
Unknown

Description

Just had a quick look after the topic came up on -users. Aegis Databiding seems to perform unsafe deserialization when serializedWhenUnknown=true. Now sure how common that is (and actually no experience with aegis at all), but if used and enabled that's pretty much direct remote code execution.

Attachments

Activity

People

Assignee:: Daniel Kulp

Reporter:: Moritz Bechler

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Dec/15 16:30

Updated:: 14/Oct/16 14:15

Resolved:: 15/Dec/15 21:24