-
-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Potential vulnerability in JSON deserialization #628
Comments
True. Besides the documentation, I could add additional optional class name checks. For example, only to allow instantiation of classes from e.g. wdyt? |
Class name check (whitelist) is a good solution. |
Need a little help with naming: Would the |
This issue appears to have been assigned CVE-2018-21234. |
Could you show me an example of JSON which lead to RCE? |
Current behavior
Jodd's Json parser supports polymorphic deserialization when setClassMetadataName is set.
If an application parses JSON with this configuration from an untrusted source, it could lead to remote code execution.
The problem is quite the same as in other Java JSON libraries.
Here you can read more:
Expected behavior
At least, you should mention security-implication of usage setClassMetadataName, similar to Jackson databind
Steps to Reproduce the Problem
If necessary, I could send an example of JSON which lead to RCE
The text was updated successfully, but these errors were encountered: