Skip to content
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.

Security problem: Ceylon allows to build a deserialization gadget #7471

Open
supersache opened this issue Dec 8, 2021 · 0 comments
Open

Comments

@supersache
Copy link

Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: supersache/ysoserial@a65671e.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.

I wanted to give you the opportunity to address this before the exploit code becomes public.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant