7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24164

GHSA ID

GHSA-p5gm-fgfx-hr7h

EPSS Score

0.35077%

CWE

CWE-502

Published

2/10/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-24164

CVE-2020-24164: Gadget chain attack in Nippy

A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24164

GHSA ID

GHSA-p5gm-fgfx-hr7h

EPSS Score

0.35077%

CWE

CWE-502

Published

2/10/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.taoensso:nippy	maven	< 2.14.2	2.14.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Nippy's automatic use of Java Serializable interface without proper validation. The commit diff shows: 1) Added serializable-whitelist to gate Serializable usage 2) Modified write-serializable to check this whitelist before writing objects 3) Created read-serializable-depr1 to handle legacy serialization with security checks. The original write-serializable and read-serializable functions lacked these protections, allowing arbitrary class deserialization. This matches the CWE-502 pattern where untrusted data deserialization occurs without proper validation, enabling RCE through malicious payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **s*ri*liz*tion *l*w is pr*s*nt in T*o*nsso Nippy ***or* *.**.*. In som* *ir*umst*n**s, it is possi*l* *or *n *tt**k*r to *r**t* * m*li*ious p*ylo** t**t, w**n **s*ri*liz**, will *llow *r*itr*ry *o** to ** *x**ut**. T*is o**urs ****us* t**r* is *ut

Reasoning

T** vuln*r**ility st*ms *rom Nippy's *utom*ti* us* o* J*v* S*ri*liz**l* int*r**** wit*out prop*r v*li**tion. T** *ommit *i** s*ows: *) ***** *s*ri*liz**l*-w*it*list* to **t* S*ri*liz**l* us*** *) Mo*i*i** writ*-s*ri*liz**l* to ****k t*is w*it*list **

7.8

Basic Information

Concerned about an active attack path?

CVE-2020-24164: Gadget chain attack in Nippy

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI