SYM_JAVA_0079 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code deserializes Java objects from an external source using ObjectInputStream without verifying the source or integrity of the data. This allows attackers to supply crafted object streams that could execute harmful code or alter application behavior.
Impact
If exploited, an attacker could remotely run arbitrary code on the server, gain unauthorized access, or compromise sensitive data. This can lead to a full system breach, data loss, or service disruption, putting both application security and user data at serious risk.