CVE-2022-25845 (Critical) detected in fastjson-1.2.33.jar #79
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-25845 - Critical Severity Vulnerability
Fastjson is a JSON processor (JSON parser + JSON generator) written in Java
Library home page: https://github.com/alibaba/fastjson
Path to dependency file: /core/pom.xml
Path to vulnerable library: /epository/com/alibaba/fastjson/1.2.33/fastjson-1.2.33.jar
Dependency Hierarchy:
Found in HEAD commit: caf150d6ebabd25bed4304a201b7e20745bac146
Found in base branch: master
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
Publish Date: 2022-06-10
URL: CVE-2022-25845
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2022-06-10
Fix Resolution: 1.2.50_noneautotype
⛑️ Automatic Remediation is available for this issue
The text was updated successfully, but these errors were encountered: