In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRed Hat Jboss Enterprise Application Platform
APPRedhat5.0.05.0.15.1.05.1.15.1.25.2.05.2.15.2.2
CISA KEV — detailsi
- Vendori
- Red Hat ↗
- Producti
- JBoss Application Server
- Added to KEVi
- December 10, 2021
- Remediation deadline (US Federal)i
- June 10, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
Related vulnerabilities
Brak walidacji nagłówka Host w serwerze Undertow HTTP
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the ...
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would perm...
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpr...
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Con...