CRITICAL 9.1
GHSA-8f39-v287-78jf
Apache Fory Java SDK Has Deserialization of Untrusted Data in the Java replace-resolve path
상세
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.
Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
Maven / org.apache.fory:fory-core
최초 영향 버전:
0 수정 버전: 1.1.0 수정
# pom.xml: bump <version>1.1.0</version> for org.apache.fory:fory-core