-
Notifications
You must be signed in to change notification settings - Fork 264
Closed
Labels
All For OneSubmissions to the All for One, One for All bountySubmissions to the All for One, One for All bounty
Description
Query PR
Language
Java
CVE(s) ID list
CVE-2016-6194
CWE
CWE-502
Report
Deserialization can sometimes be implemented in two steps. An untrusted serialized object can be stored in a field but actual deserialization happens only when the object is necessary. CVE-2016-6194 in RabbitMQ is an example of such scenario (GitHub issue). Untrusted data that comes from a response is stored in RMQObjectMessage.buf
field. Then, deserialization happens when getObject()
method is called. Currently, java/unsafe-deserialization
query doesn't catch this. I've suggested several updates to the query that allows detecting it.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response
Metadata
Metadata
Assignees
Labels
All For OneSubmissions to the All for One, One for All bountySubmissions to the All for One, One for All bounty