Sofastack Sofa-Rpc vulnerabilities
2 known vulnerabilities affecting sofastack/sofa-rpc.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2
Vulnerabilities
Page 1 of 1
CVE-2023-41331P2CRITICALCVSS 9.8fixed in 5.11.02023-09-12
CVE-2023-41331 [CRITICAL] CWE-917 CVE-2023-41331: SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully
crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserializat
nvd
CVE-2024-23636P3CRITICALCVSS 9.8fixed in 5.12.02024-01-23
CVE-2024-23636 [CRITICAL] CWE-502 CVE-2024-23636: SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian bla
nvd