CVE-2022-25845
Summary
| CVE | CVE-2022-25845 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-10 20:15:00 UTC |
| Updated | 2023-02-23 17:51:00 UTC |
| Description | The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode). |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Alibaba | Fastjson | All | All | All | All |
| Application | Oracle | Communications Cloud Native Core Unified Data Repository | 22.2.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bug fix for autotype · alibaba/fastjson@8f3410f · GitHub | CONFIRM | github.com | |
| fastjson 1.2.80版本反序列化漏洞poc - ????雨苁ℒ???? | CONFIRM | www.ddosi.org | |
| Release FASTJSON 1.2.83版本发布(安全修复) · alibaba/fastjson · GitHub | CONFIRM | github.com | |
| Deserialization of Untrusted Data in com.alibaba:fastjson | CVE-2022-25845 | Snyk | CONFIRM | snyk.io | |
| security_update_20220523 · alibaba/fastjson Wiki · GitHub | CONFIRM | github.com | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| bug fix for autoType · alibaba/fastjson@35db4ad · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Unknown
There are currently no legacy QID mappings associated with this CVE.