Home > Vulnerability Database > CVE-2024-23636

Mend.io Vulnerability Database

CVE-2024-23636

Good to know:

Date: January 23, 2024

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.

Language: Java

Severity Score

9.8

Related Resources (6)

Url: https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23636

Url: https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76

Url: https://github.com/sofastack/sofa-rpc/commit/d08e25824ae9feaf0876adba9acd2938f34759b1

Url: https://github.com/sofastack/sofa-rpc

Url: https://www.mend.io/vulnerability-database/CVE-2024-23636

Severity Score

9.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version com.alipay.sofa:sofa-rpc-all:5.12.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23636

Good to know:

Date: January 23, 2024

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?