top | item 30862853

(no title)

awirth | 3 years ago

If you can access the classloader that's pretty bad, it's likely people will find other gadgets.

It's insane to me though that class.* isn't completely disallowed. What is the legitimate use case for deserializing allowing web requests to call setters in the reflection API?

Also, agree it is impressive to me how much bad information I've seen.

discuss

loginatnine|3 years ago

Yea it didn't help that this was posted a bit after https://spring.io/blog/2022/03/29/cve-report-published-for-s... and that the original article mentioned a commit on the class `SerializationUtils` which in the end has no connection to this.

I believe accessing the `class` object here is a mistake. You can see my analysis here where I trace the POC https://news.ycombinator.com/item?id=30862953 but like you said, there are other problematic code paths for sure with this.