-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insecure deserialization in the License Response Servlet processing chain. The doPost method accepts a 'bundle' parameter that gets decrypted and passed to BundleWorker.unbundle, which ultimately calls verify() where ObjectInputStream.readObject() deserializes attacker-controlled data. The hard-coded encryption keys and predictable IV enable attackers to craft valid malicious payloads. Multiple independent analyses (Rapid7, frycos) confirm the deserialization sink in BundleWorker.verify as the root cause.
RubyRuby| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| metasploit-framework | rubygems | <= 6.0.33 |
KEV Misses 88% of Exploited CVEs- Get the report