In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. XStream is a simple library to serialize objects to XML and back again.
However, the nature of the vulnerability is more general, and there may be other ways to exploit it. the default, it is not vulnerable to the exploit. If the application is deployed as a Spring Boot executable jar, i.e. The specific exploit requires the application to run on Tomcat as a WAR deployment. Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.Ī Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
0 kommentar(er)
