New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

项目引用了com.alibaba:fastjson等17个开源组件，存在3个漏洞，建议升级 #2

Open

ghost opened this issue Mar 3, 2022 · 2 comments

ghost commented Mar 3, 2022

大佬，看你这个项目调用了com.alibaba:fastjson等17个开源组件，存在3个安全漏洞，建议你升级下。

漏洞标题：Fastjson <=1.2.68 远程代码执行漏洞
漏洞编号：
漏洞描述：
Fastjson 是Java语言实现的快速JSON解析和生成器，在<=1.2.68的版本中攻击者可通过精心构造的JSON请求，远程执行恶意代码。
漏洞原因：
Fastjson采用黑白名单的方法来防御反序列化漏洞，导致当黑客不断发掘新的反序列化Gadgets类时，发现在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制，造成远程命令执行漏洞。
国家漏洞库信息：https://www.cnvd.org.cn/flaw/show/CNVD-2020-30827
影响范围：(∞, 1.2.69)
最小修复版本：1.2.69
引入路径：
com.young-datafan:[email protected]>com.alibaba:[email protected]

另外2个漏洞，信息有点多我就不贴了，你自己看下完整报告：https://www.mfsec.cn/jr?p=a1ab8b
你对这个issues有任何疑问可以回复我，我能看见哈。

The text was updated successfully, but these errors were encountered:

Collaborator

zhangrenhua commented Mar 10, 2022

好的，近期会修复下

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment