-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.nutz:nutzboot-parent | maven | <= 2.6.0-SNAPSHOT |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the EthModule.java file, which is part of a demonstration application for nutzboot. The EthModule class has a method localeAccounts that returns information about local Ethereum accounts. The class is annotated with @Ok("json:{..., locked:'credentials'}"), which is a feature of the Nutz framework to control JSON serialization. The locked property is used to specify fields that should not be included in the JSON output.
The localeAccounts method returns a NutMap containing web3jCredentials, which is a map of Web3jAccount objects. The Web3jAccount class contains sensitive information, including the account's password, which is used in the sendTransaction method (account.getPassword()).
The vulnerability is caused by a typo in the @Ok annotation. The developer intended to prevent the password field from being serialized, but instead specified credentials. As a result, when the localeAccounts method is called, the web3jCredentials map is serialized to JSON, and the password for each account is included in the response, leading to an information disclosure vulnerability.
io.nutz.demo.simple.module.EthModule.localeAccountsnutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java
Ongoing coverage of React2Shell