Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.4.5
Description
A specific object structure of Groovy objects can be used to run arbitrary commands remotely via unchecked deserialization. See issue COLLECTIONS-580 for a related problem in another library.
See the following links for details:
The payload-building code:
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java