A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.
References
Link | Resource |
---|---|
https://github.com/ptaoussanis/nippy/issues/130 | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2020-09-11 06:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-24164
Mitre link : CVE-2020-24164
CVE.ORG link : CVE-2020-24164
JSON object : View
Products Affected
taoensso
- nippy
CWE
CWE-502
Deserialization of Untrusted Data