Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-7664

Deserializing Groovy objects results in arbitrary remote code execution

    XMLWordPrintableJSON

    Details

      Description

      A specific object structure of Groovy objects can be used to run arbitrary commands remotely via unchecked deserialization. See issue COLLECTIONS-580 for a related problem in another library.

      See the following links for details:

      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      The payload-building code:

      https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              drosenbauer Devin Rosenbauer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: