You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@aurora.apache.org by GitBox <gi...@apache.org> on 2019/09/17 00:20:42 UTC
[GitHub] [aurora] larrycameron80 opened a new issue #70: Arbitrary Code
Execution during Deserialization
larrycameron80 opened a new issue #70: Arbitrary Code Execution during Deserialization
URL: https://github.com/apache/aurora/issues/70
Arbitrary Code Execution during Deserialization
Vulnerable module: org.beanshell:bsh
Introduced through: org.asynchttpclient:async-http-client@2.0.37
Detailed paths
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.asynchttpclient:async-http-client@2.0.37 › com.typesafe.netty:netty-reactive-streams@1.0.8 › org.testng:testng@6.9.4 › org.beanshell:bsh@2.0b4
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.asynchttpclient:async-http-client@2.0.37 › com.typesafe.netty:netty-reactive-streams@1.0.8 › org.reactivestreams:reactive-streams-tck@1.0.0 › org.testng:testng@6.9.4 › org.beanshell:bsh@2.0b4
Overview
org.beanshell:bsh is a Java source interpreter with object scripting language features, written in Java.
Affected versions of this package are vulnerable to Arbitrary Code Execution during Deserialization. When included on the classpat by an application that uses Java serialization or XStream, A remote attacker could execute arbitrary code via crafted serialized data, related to XThis.Handler.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services