Object Deserialization Injection attacks utilise overly trusted user-controlled input, passed to deserialisation functions. The deserialisation of objects can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.
Where the Issue Occurred
Displayed below is the code within the project, where the user input is passed into the deserialisation function:
The Issue
Object Deserialization Injection attacks utilise overly trusted user-controlled input, passed to deserialisation functions. The deserialisation of objects can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.
Where the Issue Occurred
Displayed below is the code within the project, where the user input is passed into the deserialisation function:
megamek/megamek/src/megamek/common/net/ObjectStreamConnection.java
Line 67 in f28ccf9
The above code can be manipulated by specially crafted network packets.
The text was updated successfully, but these errors were encountered: