Description

pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-10-10T15:49:28.316Z

Last Modified :

2024-10-10T16:08:30.517Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2023-25581 vulnerability.

Vendors Products
Pac4j
  • Pac4j
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2023-25581.

URL Resource
https://github.com/frohoff/ysoserial cve-icon cve-icon
https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95 cve-icon cve-icon
https://portswigger.net/web-security/deserialization cve-icon cve-icon
https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability