GraniteDS Insecure Deserialization
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Oct 10, 2023
Package
Affected versions
<= 3.1.1.GA
Patched versions
None
Description
Published by the National Vulnerability Database
Jun 11, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jul 25, 2023
Last updated
Oct 10, 2023
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.
References