Fastjson 1.2.68 and Earlier Remote Code Execution Vulnerability Threat Alert
junho 8, 2020
Vulnerability Description
On May 28, Fastjson 1.2.68 and before were reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes that contain security risks. Attackers could exploit this vulnerability to execute arbitrary code on the target machine.
(mais…)Fastjson 1.2.62 and Earlier Remote Code Execution Vulnerability Threat Alert
março 11, 2020
Vulnerability Description
On February 19, National Vulnerability Database (NVD) released a JNDI injection vulnerability (CVE-2020-8840) in jackson-databind. However, gadget deserialization in jackson-databind also affects Fastjson. According to researchers from NSFOCUS, when the AutoType fucntion is enabled (disabled by default), this vulnerability affects Fastjson 1.2.62, allowing attackers to result in remote arbitrary code execution on the target machine. (mais…)
Fastjson 1.2.60 and Earlier Remote Code Execution Vulnerability Threat Alert
outubro 2, 2019
1 Vulnerability Description
On September 18, a security researcher submitted Fastjson remediation code on Alibaba’s official GitHub to prevent new exploits of the Fastjson deserialization remote code execution vulnerability. An attacker could exploit this vulnerability to remotely execute malicious code to compromise the server. (mais…)
Fastjson Remote Denial-of-Service Vulnerability Threat Alert
setembro 30, 2019
-
Vulnerability Description
Recently, multiple versions of fastjson have been found to contain a remote denial-of-service (DoS) vulnerability. An attacker could exploit a flaw in the processing logic of fastjson to exhaust memory and CPU resources of the server via a maliciously crafted json string, leading to a denial of service. (mais…)
Fastjson Remote Code Execution Vulnerability Threat Alert
julho 23, 2019
Overview
Recently, a security researcher discovered an issue with the fixes for multiple versions of fastjson. Despite these fixes, an attacker could remotely execute code on a server running fastjson via a carefully crafted request. This issue affects fastjson 1.2.47 and earlier and does not require enabling the autotype option. (mais…)