Base Score

CRITICAL9.8

CVE-2019-9212

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated

VectorNETWORK

Published Bycve@mitre.org

Published DateFeb 27, 2019, 17:29

Affected Versions(2)

com.alipay.sofa:hessian(Maven)

Introduced4.0.0

Fixed4.0.2

LimitN/A

com.alipay.sofa:hessian(Maven)

Introduced0

Fixed3.3.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.alipay.sofa:hessian(Maven)	4.0.0	4.0.2	N/A
com.alipay.sofa:hessian(Maven)	0	3.3.6	N/A

Weakness Type (CWE):CWE-184

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://github.com/alipay/sofa-hessian/issues/34

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-184

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH