Severity
CVSS: 9.0
Explanation
Due to the behavior of the
SerializableTypeWrapper
in the Spring framework , an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections
is on the classpath.The intended behavior of SerializableTypeWrapper$MethodInvokeTypeProvider
is to allow for the invocation of any method on the Java classpath. The SerializableTypeWrapper$MethodInvokeTypeProvider
class implements Serializable
and therefore can be included in a serialized object. A combination of the SerializableTypeWrapper's
intended functionality and because it is serializable allows an attacker to embed malicious content, such as Runtime.getRuntime().exec()
via Java reflection, allowing arbitrary code execution.
Detection
The application is vulnerable if it allows deserialization of untrusted data.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.
Categories
Data