Closed
Description
Query PR
Language
Java
CVE(s) ID list
CVE-2016-6194
CWE
CWE-502
Report
Deserialization can sometimes be implemented in two steps. An untrusted serialized object can be stored in a field but actual deserialization happens only when the object is necessary. CVE-2016-6194 in RabbitMQ is an example of such scenario (GitHub issue). Untrusted data that comes from a response is stored in RMQObjectMessage.buf
field. Then, deserialization happens when getObject()
method is called. Currently, java/unsafe-deserialization
query doesn't catch this. I've suggested several updates to the query that allows detecting it.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response