-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsafe deserialization in sofa-hessian's handling of payloads. The PoC demonstrates exploitation by: 1) Using Hessian2Output with a custom SerializerFactory 2) Explicitly setting allowNonSerializable=true 3) Leveraging UnixPrintServiceLookup as a gadget. The critical function enabling this is SerializerFactory.setAllowNonSerializable() which removes serialization safeguards. This matches the CWE-502 pattern and explains how the bypass works, as confirmed by the working PoC and CVE description of a 'crafted payload' bypass.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.noear:solon | maven | < 2.3.3 | 2.3.3 |
JavaJavaKEV Misses 88% of Exploited CVEs- Get the report