SYM_JAVA_0140 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
If a JAX-RS REST endpoint does not specify a @Consumes annotation, it may accept requests with Content-Type 'application/x-java-serialized-object'. This allows attackers to send serialized Java objects, which could be deserialized by the server without validation.
Impact
An attacker could exploit this to send malicious serialized objects, potentially leading to arbitrary code execution on the server. This could result in data breaches, server compromise, or further attacks on your infrastructure.