You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@aurora.apache.org by GitBox <gi...@apache.org> on 2019/09/17 00:20:42 UTC

[GitHub] [aurora] larrycameron80 opened a new issue #70: Arbitrary Code Execution during Deserialization

larrycameron80 opened a new issue #70: Arbitrary Code Execution during Deserialization
URL: https://github.com/apache/aurora/issues/70
 
 
   Arbitrary Code Execution during Deserialization
   Vulnerable module: org.beanshell:bsh
   Introduced through: org.asynchttpclient:async-http-client@2.0.37
   
   Detailed paths
   
   Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.asynchttpclient:async-http-client@2.0.37 › com.typesafe.netty:netty-reactive-streams@1.0.8 › org.testng:testng@6.9.4 › org.beanshell:bsh@2.0b4
   
   Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.asynchttpclient:async-http-client@2.0.37 › com.typesafe.netty:netty-reactive-streams@1.0.8 › org.reactivestreams:reactive-streams-tck@1.0.0 › org.testng:testng@6.9.4 › org.beanshell:bsh@2.0b4
   
   Overview
   org.beanshell:bsh is a Java source interpreter with object scripting language features, written in Java.
   
   Affected versions of this package are vulnerable to Arbitrary Code Execution during Deserialization. When included on the classpat by an application that uses Java serialization or XStream, A remote attacker could execute arbitrary code via crafted serialized data, related to XThis.Handler.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services