CVE-2024-46983

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-46983
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*
History

25 Sep 2024, 17:46

Type Values Removed Values Added
References () https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj - () https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj - Vendor Advisory
CPE cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*
First Time Antfin sofa-hessian
Antfin
CWE NVD-CWE-noinfo

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) sofa-hessian es una versión interna mejorada de Hessian3/4 desarrollada por Ant Group CO., Ltd. El protocolo SOFA Hessian utiliza un mecanismo de lista negra para restringir la deserialización de clases potencialmente peligrosas para la protección de la seguridad. Pero hay una cadena de gadgets que puede eludir el mecanismo de protección de lista negra de SOFA Hessian, y esta cadena de gadgets solo se basa en JDK y no depende de ningún componente de terceros. Este problema se soluciona con una actualización de la lista negra; los usuarios pueden actualizar a la versión 3.5.5 de sofahessian para evitar este problema. Los usuarios que no puedan actualizar pueden mantener una lista negra ellos mismos en el directorio `external/serialize.blacklist`.

19 Sep 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-19 23:15

Updated : 2024-09-25 17:46

NVD link : CVE-2024-46983

Mitre link : CVE-2024-46983

CVE.ORG link : CVE-2024-46983

JSON object : View

Products Affected

antfin

  • sofa-hessian
CWE
NVD-CWE-noinfo CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024