-
Notifications
You must be signed in to change notification settings - Fork 358
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9eb9fa4
commit 60a90ac
Showing
1 changed file
with
81 additions
and
0 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
advisories/github-reviewed/2024/10/GHSA-76mw-6p95-x9x5/GHSA-76mw-6p95-x9x5.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-76mw-6p95-x9x5", | ||
| "modified": "2024-10-11T22:16:56Z", | ||
| "published": "2024-10-11T22:16:56Z", | ||
| "aliases": [ | ||
| "CVE-2023-25581" | ||
| ], | ||
| "summary": "pac4j-core affected by a Java deserialization vulnerability", | ||
| "details": "pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.pac4j:pac4j-core" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "4.0.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25581" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/frohoff/ysoserial" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/pac4j/pac4j" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://portswigger.net/web-security/deserialization" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://securitylab.github.com/advisories" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://securitylab.github.com/advisories/GHSL-2022-085_pac4j" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-502" | ||
| ], | ||
| "severity": "CRITICAL", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-10-11T22:16:56Z", | ||
| "nvd_published_at": "2024-10-10T16:15:04Z" | ||
| } | ||
| } |