cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Moritz Bechler (JIRA)" <>
Subject [jira] [Created] (CXF-6711) Aegis Databinding Deserialization Vulnerability
Date Tue, 15 Dec 2015 16:30:46 GMT
Moritz Bechler created CXF-6711:

             Summary: Aegis Databinding Deserialization Vulnerability
                 Key: CXF-6711
             Project: CXF
          Issue Type: Bug
          Components: Aegis Databinding
    Affects Versions: 3.1.4
            Reporter: Moritz Bechler

Just had a quick look after the topic came up on -users. Aegis Databiding seems to perform
unsafe deserialization when serializedWhenUnknown=true. Now sure how common that is (and actually
no experience with aegis at all), but if used and enabled that's pretty much direct remote
code execution.

This message was sent by Atlassian JIRA

View raw message