All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.codemodder.codemods.HardenXMLDecoderCodemod.report.json Maven / Gradle / Ivy

There is a newer version: 0.97.3
Show newest version
{
  "summary" : "Hardened XMLDecoder usage to prevent common attacks",
  "change": "Wrapped the XMLDecoder input with one that detects if some well-known exploit types are deserialized -- but this operation is difficult to protect and should be removed when possible",
  "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLDecoder` instances will only throw `SecurityException` if they see types being deserialized are involved in code execution, which is extremely unlikely to in normal operation.",
  "references": [
    "https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/web/java-XMLDecoder-RCE.md",
    "http://diniscruz.blogspot.com/2013/08/using-xmldecoder-to-execute-server-side.html"
  ]
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy