Remote Code Execution Vulnerability found with Fastjson RCE
Industry: N/A | Level: Strategic | Source: JFrog
Research from JFrog has discovered a remote code execution (RCE) vulnerability with Fastjson bypassing the AutoTypeCheck feature. Fastjson has addressed the issue with its latest version (1.2.83). The vulnerability is known to impact 5000 Maven projects with dependency on Fastjson using versions prior to 1.2.83 however the scope is found to be limited as "the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly — target-specific research is required to find a suitable gadget class to exploit." JFrog's analysis was able to uncover "gadget classes" that are configured to be exploitable, posing a challenge to attackers with their analysis adding that "an attacker that wishes to exploit this vulnerability in the real world will need to perform deep research on the attacked Java application, in order to find a custom Java “gadget” class (loaded in the Classpath), that extends Exception/Throwable and contains the relevant methods that can be used to gain privileges, leak data or even run arbitrary code."