Fastjson

Fastjson 1.2.68 and Earlier Remote Code Execution Vulnerability Threat Alert

junho 8, 2020

Vulnerability Description

On May 28, Fastjson 1.2.68 and before were reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes that contain security risks. Attackers could exploit this vulnerability to execute arbitrary code on the target machine.

(mais…)

Fastjson 1.2.62 and Earlier Remote Code Execution Vulnerability Threat Alert

março 11, 2020

Vulnerability Description

On February 19, National Vulnerability Database (NVD) released a JNDI injection vulnerability (CVE-2020-8840) in jackson-databind. However, gadget deserialization in jackson-databind also affects Fastjson. According to researchers from NSFOCUS, when the AutoType fucntion is enabled (disabled by default), this vulnerability affects Fastjson 1.2.62, allowing attackers to result in remote arbitrary code execution on the target machine. (mais…)

Fastjson 1.2.60 and Earlier Remote Code Execution Vulnerability Threat Alert

outubro 2, 2019

1 Vulnerability Description

On September 18, a security researcher submitted Fastjson remediation code on Alibaba’s official GitHub to prevent new exploits of the Fastjson deserialization remote code execution vulnerability. An attacker could exploit this vulnerability to remotely execute malicious code to compromise the server. (mais…)

Fastjson Remote Denial-of-Service Vulnerability Threat Alert

setembro 30, 2019

  1. Vulnerability Description

Recently, multiple versions of fastjson have been found to contain a remote denial-of-service (DoS) vulnerability. An attacker could exploit a flaw in the processing logic of fastjson to exhaust memory and CPU resources of the server via a maliciously crafted json string, leading to a denial of service. (mais…)

Fastjson Remote Code Execution Vulnerability Threat Alert

julho 23, 2019

Overview

Recently, a security researcher discovered an issue with the fixes for multiple versions of fastjson. Despite these fixes, an attacker could remotely execute code on a server running fastjson via a carefully crafted request. This issue affects fastjson 1.2.47 and earlier and does not require enabling the autotype option. (mais…)