SerializableTypeWrapperin the Spring framework , an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when
commons-collectionsis on the classpath.
The intended behavior of
SerializableTypeWrapper$MethodInvokeTypeProvider is to allow for the invocation of any method on the Java classpath. The
SerializableTypeWrapper$MethodInvokeTypeProvider class implements
Serializable and therefore can be included in a serialized object. A combination of the
SerializableTypeWrapper's intended functionality and because it is serializable allows an attacker to embed malicious content, such as
Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.
Note: Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.