New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serialization vulnerability of fastjson / jackson #285

Closed

iapplejohn opened this issue Jul 21, 2020 · 0 comments

Contributor

iapplejohn commented Jul 21, 2020

BUG REPORT

Please describe the issue you observed:

What did you do (The steps to reproduce)?
Utilize the specific payload
What did you expect to see?
The payload would be deserialized to normal objects
What did you see instead?
Special objects are instantiated which could lead to danger towards the servers

Please tell us about your environment:
rocketmq starter: 2.1.1-SNAPSHOT
Jackson: 2.9.7
Fastjson: 1.2.69
Other information (e.g. detailed explanation, logs, related issues, suggestions how to fix, etc):
Jackson: https://help.aliyun.com/noticelist/articleid/1060035134.html
Fastjson: https://help.aliyun.com/noticelist/articleid/1060343604.html

Upgrade jackson version from 2.9.7 to 2.11.1
Upgrade fastjson version from 1.2.69 to 1.2.72

iapplejohn mentioned this issue

[ISSUE #285] Upgrade jackson/fastjson version #284

Merged

RongtongJin pushed a commit that referenced this issue


          [ISSUE #285] Upgrade jackson/fastjson version

b4cd289

RongtongJin closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment