cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "GSS FED (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CB-13186) HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in cordova-plugin-file/src/android/AssetFilesystem.java
Date Thu, 17 Aug 2017 10:57:00 GMT
GSS FED created CB-13186:
----------------------------

             Summary: HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue
in cordova-plugin-file/src/android/AssetFilesystem.java
                 Key: CB-13186
                 URL: https://issues.apache.org/jira/browse/CB-13186
             Project: Apache Cordova
          Issue Type: Bug
          Components: cordova-android, cordova-plugin-file
    Affects Versions: 5.1.1
         Environment: Android 4 (Crosswalk)
            Reporter: GSS FED
            Assignee: Joe Bowser


Dynamic Code Evaluation: Unsafe Deserialization
[https://vulncat.hpefod.com/en/detail?id=desc.structural.java.dynamic_code_evaluation_unsafe_deserialization]
Abstract:
在執行階段,還原序列化使用者控制的物件串流可能會讓攻擊者在伺服器上執行任意程式碼、濫用應用程式邏輯和/或造成阻斷服務。

Line:
56
Snippet:
{code:java}
try { ois = new ObjectInputStream(assetManager.open(&quot;cdvasset.manifest&quot;));
listCache = (Map&lt;String, String[]&gt;) ois.readObject(); lengthCache = (Map&lt;String,
Long&gt;) ois.readObject(); listCacheFromFile = true;
{code}
TargetFunction:
FunctionCall: readObject()

Line:
57
Snippet:
{code:java}
ois = new ObjectInputStream(assetManager.open(&quot;cdvasset.manifest&quot;)); listCache
= (Map&lt;String, String[]&gt;) ois.readObject(); lengthCache = (Map&lt;String,
Long&gt;) ois.readObject(); listCacheFromFile = true; } catch (ClassNotFoundException
e) {
{code}
TargetFunction:
FunctionCall: readObject()



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message