Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

同学,您这个项目引入了47个开源组件,存在4个漏洞,辛苦升级一下 #1

Open
ghost opened this issue Mar 7, 2022 · 1 comment

Comments

@ghost
Copy link

ghost commented Mar 7, 2022

检测到 qingzinai/book-serve 一共引入了47个开源组件,存在4个漏洞

漏洞标题:Fastjson <=1.2.68 远程代码执行漏洞
缺陷组件:com.alibaba:[email protected]
漏洞编号:
漏洞描述:Fastjson 是Java语言实现的快速JSON解析和生成器,在<=1.2.68的版本中攻击者可通过精心构造的JSON请求,远程执行恶意代码。
漏洞原因:
Fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,发现在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-30827
影响范围:(∞, 1.2.69)
最小修复版本:1.2.69
缺陷组件引入路径:com.example:[email protected]>com.alibaba:[email protected]

另外还有4个漏洞,详细报告:https://mofeisec.com/jr?p=id82c6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant
and others