VDB
EN
CRITICAL 9.1

GHSA-8f39-v287-78jf

Apache Fory Java SDK Has Deserialization of Untrusted Data in the Java replace-resolve path

상세

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.

Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / org.apache.fory:fory-core
최초 영향 버전: 0 수정 버전: 1.1.0
수정 # pom.xml: bump <version>1.1.0</version> for org.apache.fory:fory-core

참고