Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wdjdoLWh4NWgtbWdmas4AArfz
Unsafe deserialization in com.alibaba:fastjson
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
Permalink: https://github.com/advisories/GHSA-pv7h-hx5h-mgfjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wdjdoLWh4NWgtbWdmas4AArfz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 days ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pv7h-hx5h-mgfj, CVE-2022-25845
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25845
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.ddosi.org/fastjson-poc
- https://github.com/advisories/GHSA-pv7h-hx5h-mgfj
Blast Radius: 41.1
Affected Packages
maven:com.alibaba:fastjson
Dependent packages: 5,171Dependent repositories: 117,744
Downloads:
Affected Version Ranges: >= 1.2.25, < 1.2.83
Fixed in: 1.2.83
All affected versions: 1.2.25, 1.2.26, 1.2.27, 1.2.28, 1.2.29, 1.2.30, 1.2.31, 1.2.32, 1.2.33, 1.2.34, 1.2.35, 1.2.36, 1.2.37, 1.2.38, 1.2.39, 1.2.40, 1.2.41, 1.2.42, 1.2.43, 1.2.44, 1.2.45, 1.2.46, 1.2.47, 1.2.48, 1.2.49, 1.2.50, 1.2.51, 1.2.52, 1.2.53, 1.2.54, 1.2.55, 1.2.56, 1.2.57, 1.2.58, 1.2.59, 1.2.60, 1.2.61, 1.2.62, 1.2.66, 1.2.67, 1.2.68, 1.2.69, 1.2.70, 1.2.71, 1.2.72, 1.2.73, 1.2.74, 1.2.75, 1.2.76, 1.2.77, 1.2.78, 1.2.79, 1.2.80
All unaffected versions: 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.39, 1.1.40, 1.1.41, 1.1.42, 1.1.43, 1.1.44, 1.1.45, 1.1.46, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.83, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50