Description

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.

INFO

Published Date :

2024-09-19T22:47:14.438Z

Last Modified :

2024-09-20T14:02:54.306Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-46983 vulnerability.

Vendors Products
Antfin
  • Sofa-hessian
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-46983.

URL Resource
https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact