Skip to content

Deserialization of untrusted data (`GHSL-2022-086`)

High
david-leifker published GHSA-hrwp-2q5c-86wv Jan 6, 2023

Package

datahub-frontend (Java)

Affected versions

<v0.9.5

Patched versions

v0.9.5

Description

Conditions

DataHub configured for authentication via SSO.

Impact

This issue may lead to Remote Code Execution (RCE) in the worst case. Although a RestrictedObjectInputStream is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains.

Remediation

Updated pac4j to version 4.x or later.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-25558

Weaknesses

No CWEs

Credits