GHSA-pv7h-hx5h-mgfj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pv7h-hx5h-mgfj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pv7h-hx5h-mgfj/GHSA-pv7h-hx5h-mgfj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pv7h-hx5h-mgfj
- Aliases
- Published
- 2022-06-11T00:00:17Z
- Modified
- 2025-01-08T14:12:07.704133Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Unsafe deserialization in com.alibaba:fastjson
- Details
-
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
- Database specific
{ "nvd_published_at": "2022-06-10T20:15:00Z", "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-06-17T00:58:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25845
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://github.com/alibaba/fastjson
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://www.ddosi.org/fastjson-poc
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Maven / com.alibaba:fastjson
Package
- Name
- com.alibaba:fastjson
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alibaba/fastjson
Affected versions
1.*
1.2.25
1.2.25.sec10
1.2.26
1.2.27
1.2.27.sec06
1.2.27.sec09
1.2.27.sec10
1.2.28
1.2.28.odps
1.2.29
1.2.29.sec04
1.2.29.sec06
1.2.29.sec09
1.2.29.sec10
1.2.30
1.2.31
1.2.31.sec10
1.2.31_noneautotype
1.2.32
1.2.33
1.2.34
1.2.35
1.2.36
1.2.37
1.2.38
1.2.39
1.2.40
1.2.41
1.2.42
1.2.43
1.2.44
1.2.45
1.2.46
1.2.47
1.2.48
1.2.48.sec06
1.2.48.sec09
1.2.48.sec09_noneautotype
1.2.48.sec10
1.2.48_noneautotype
1.2.49
1.2.50
1.2.50.sec10
1.2.50_noneautotype
1.2.51
1.2.51.sec06
1.2.51.sec10
1.2.52
1.2.52.sec06
1.2.52.sec09_noneautotype
1.2.52.sec10
1.2.53
1.2.54
1.2.54.sec06
1.2.54.sec10
1.2.54_noneautotype
1.2.55
1.2.55.sec10
1.2.56
1.2.56.sec06
1.2.57
1.2.57.sec06
1.2.57.sec10
1.2.57_noneautotype
1.2.58
1.2.58.sec06
1.2.58.sec09
1.2.58.sec10
1.2.59
1.2.60
1.2.60.sec09
1.2.60.sec09_noneautotype
1.2.60.sec10
1.2.60_noneautotype
1.2.61
1.2.61.sec10
1.2.62
1.2.62_noneautotype
1.2.63_noneautotype
1.2.66
1.2.67
1.2.67.sec10
1.2.67_noneautotype
1.2.67_noneautotype2
1.2.68
1.2.68.sec10
1.2.69
1.2.69_noneautotype
1.2.69_sec11
1.2.69_sec12
1.2.70
1.2.71
1.2.71_noneautotype
1.2.72
1.2.72_noneautotype
1.2.73
1.2.74
1.2.75
1.2.75_noneautotype
1.2.76
1.2.77
1.2.78
1.2.79
1.2.80