You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.
Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: supersache/ysoserial@a65671e.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.
I wanted to give you the opportunity to address this before the exploit code becomes public.
The text was updated successfully, but these errors were encountered:
Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: supersache/ysoserial@a65671e.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.
I wanted to give you the opportunity to address this before the exploit code becomes public.
The text was updated successfully, but these errors were encountered: