Tag: Fastjson

Vulnerability Description On May 28, Fastjson 1.2.68 and before were reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes that contain security risks. Attackers could exploit this vulnerability to execute arbitrary code on the target machine. (mais…)

Vulnerability Description On February 19, National Vulnerability Database (NVD) released a JNDI injection vulnerability (CVE-2020-8840) in jackson-databind. However, gadget deserialization in jackson-databind also affects Fastjson. According to researchers from NSFOCUS, when the AutoType fucntion is enabled (disabled by default), this vulnerability affects Fastjson 1.2.62, allowing attackers to result in remote...

1 Vulnerability Description On September 18, a security researcher submitted Fastjson remediation code on Alibaba's official GitHub to prevent new exploits of the Fastjson deserialization remote code execution vulnerability. An attacker could exploit this vulnerability to remotely execute malicious code to compromise the server. (mais…)

Vulnerability Description Recently, multiple versions of fastjson have been found to contain a remote denial-of-service (DoS) vulnerability. An attacker could exploit a flaw in the processing logic of fastjson to exhaust memory and CPU resources of the server via a maliciously crafted json string, leading to a denial of service....

Overview Recently, a security researcher discovered an issue with the fixes for multiple versions of fastjson. Despite these fixes, an attacker could remotely execute code on a server running fastjson via a carefully crafted request. This issue affects fastjson 1.2.47 and earlier and does not require enabling the autotype option....