CVE-2019-9212

** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated.
References
Link Resource
https://github.com/alipay/sofa-hessian/issues/34 Issue Tracking Patch
Configurations

Configuration 1

cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*

Information

Published : 2019-02-27 05:29

Updated : 2020-02-10 09:54


NVD link : CVE-2019-9212

Mitre link : CVE-2019-9212

Products Affected
No products.
CWE
CWE-184

Incomplete List of Disallowed Inputs

CWE-502

Deserialization of Untrusted Data