Closed
Description
This issue covers following CVEs related to polymorphic deserialization, gadgets:
- CVE-2018-14718: RCE with slf4j-ext jar
- CVE-2018-14719: RCE with blaze-ds-opt, -core jars
- CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions)
- CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Original vulnerability discoverer:
吴桂雄 Wuguixiong
Fixed in:
- 2.9.7 and later
- 2.8.11.3
- 2.7.9.5
- 2.6.7.3