Homepage

org.apache.mina:mina-core@2.1.9 vulnerabilities

  • latest version

    2.2.3

  • latest non vulnerable version

    3.0.0-M2

  • first published

    18 years ago

  • latest version published

    1 years ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.apache.mina:mina-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Deserialization of Untrusted Data

    org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily.

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the ObjectSerializationDecoder due to improper user input sanitization. An attacker can execute arbitrary code by sending specially crafted malicious serialized data.

    Note:

    1. This is only exploitable if the IoBuffer#getObject method is called and a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class is added to the filter chain.

    2. The FtpServer, SSHd and Vysper sub-project are not affected by this issue.

    3. After upgrading to the fixed version, it is required to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: accept(ClassNameMatcher classNameMatcher), accept(Pattern pattern), or accept(String... patterns).

    How to fix Deserialization of Untrusted Data?

    Upgrade org.apache.mina:mina-core to version 2.0.27, 2.1.10, 2.2.4 or higher.

    [2.0.0,2.0.27)[2.1.0,2.1.10)[2.2.0,2.2.4)
    Go back to all versions of this package