The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
References
Link | Resource |
---|---|
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d | Patch Third Party Advisory |
https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15 | Patch Third Party Advisory |
https://github.com/alibaba/fastjson/releases/tag/1.2.83 | Release Notes Third Party Advisory |
https://github.com/alibaba/fastjson/wiki/security_update_20220523 | Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222 | Third Party Advisory |
https://www.ddosi.org/fastjson-poc/ | Exploit Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
History
23 Feb 2023, 17:51
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:* | |
First Time |
Oracle
Oracle communications Cloud Native Core Unified Data Repository |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:22
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Jun 2022, 17:13
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://www.ddosi.org/fastjson-poc/ - Exploit, Third Party Advisory | |
References | (CONFIRM) https://github.com/alibaba/fastjson/releases/tag/1.2.83 - Release Notes, Third Party Advisory | |
References | (CONFIRM) https://github.com/alibaba/fastjson/wiki/security_update_20220523 - Third Party Advisory | |
References | (CONFIRM) https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d - Patch, Third Party Advisory | |
References | (CONFIRM) https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222 - Third Party Advisory | |
References | (CONFIRM) https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15 - Patch, Third Party Advisory | |
First Time |
Alibaba fastjson
Alibaba |
|
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 9.8 |
CWE | CWE-502 | |
CPE | cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:* |
10 Jun 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-10 20:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-25845
Mitre link : CVE-2022-25845
CVE.ORG link : CVE-2022-25845
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_unified_data_repository
alibaba
- fastjson
CWE
CWE-502
Deserialization of Untrusted Data