-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe GitHub issue #226 explicitly identifies FuryActionExecutor (line 25) as the vulnerability location. The PoC demonstrates that Fury's deserialization mechanism is used to process untrusted RPC payloads without adequate validation. Fury's default configuration relies on a blacklist, which is insufficient to prevent all gadget chain exploits. The attack leverages a combination of QBindingEnumeration (from Quercus) and XStringForFSB (from XBean) classes to bypass protections and execute JNDI lookups. This matches the CWE-502 pattern of unsafe deserialization.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.noear:solon | maven | <= 2.6.0 |
Ongoing coverage of React2Shell