Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Jboss EAP Deserialization of Untrusted Data Vulnerability - CVE-2017-12149 - Vulnerability Database
Jboss EAP

Jboss EAP Deserialization of Untrusted Data Vulnerability - CVE-2017-12149

Critical
Reference: CVE-2017-12149
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2017-12149
Title: Jboss EAP Deserialization of Untrusted Data Vulnerability
Overview:

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.