CVE-2019-9212

** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated.
References
Link Resource
https://github.com/alipay/sofa-hessian/issues/34 Issue Tracking Patch Third Party Advisory
https://github.com/alipay/sofa-hessian/issues/34 Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:51

Type Values Removed Values Added
References () https://github.com/alipay/sofa-hessian/issues/34 - Issue Tracking, Patch, Third Party Advisory () https://github.com/alipay/sofa-hessian/issues/34 - Issue Tracking, Patch, Third Party Advisory

Information

Published : 2019-02-27 17:29

Updated : 2024-11-21 04:51


NVD link : CVE-2019-9212

Mitre link : CVE-2019-9212

CVE.ORG link : CVE-2019-9212


JSON object : View

Products Affected

antfin

  • sofa-hessian
CWE
CWE-184

Incomplete List of Disallowed Inputs

CWE-502

Deserialization of Untrusted Data