You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
BeanXMLByteCoder class provides decode() method to decode the Object from a InputStream.
When the decode() method is called, the program will call XMLDecoder.readObject() to parse the XML string without any check, which causing a XML Deserialization vulnerability.
Thanks for reporting the issue to us.
BeanXMLByterCoder is a small adapter for the XMLDecoder and XMLEncoder classes from the standard Java API.
As you point out, the security issue is located in the XMLDecoder.readObject method when reading from an untrusted input source.
As far as I can see, BeanXMLByterCoder is part of the GlazedList IO extension, but is not used actively in the code base.
A GlazedLists user using BeanXMLByterCoder should only deserialize from trusted input sources.
Please note, that the Glazed Lists IO extension is deprecated and will be removed from the next major version of Glazed Lists.
But even if BeanXMLByterCoder is removed, the vulnerability is still there in XMLDecoder. That's nothing we can do about.
vulnerability location:
ca.odell.glazedlists.impl.io.BeanXMLByteCoder
BeanXMLByteCoder
class providesdecode()
method to decode the Object from a InputStream.When the
decode()
method is called, the program will callXMLDecoder.readObject()
to parse the XML string without any check, which causing a XML Deserialization vulnerability.ca.odell.glazedlists.impl.io.BeanXMLByteCoder#decode
attack payload:
use a little program to test.
os: windows 10
jdk: 1.8.0_111
glazedlists: 1.11.0
The text was updated successfully, but these errors were encountered: