CVE-2019-9212 - OpenCVE

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Antfin	Sofa-hessian

Configuration 1 [-]

cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/alipay/sofa-hessian/issues/34	Issue Tracking Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-27T17:00:00

Updated: 2019-06-28T18:49:33

Reserved: 2019-02-27T00:00:00

Link: CVE-2019-9212

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-27T17:29:00.427

Modified: 2024-05-17T01:39:50.493

Link: CVE-2019-9212

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn\u2019t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-28T18:49:33", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/alipay/sofa-hessian/issues/34"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9212", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn\u2019t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/alipay/sofa-hessian/issues/34", "refsource": "MISC", "url": "https://github.com/alipay/sofa-hessian/issues/34"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9212", "datePublished": "2019-02-27T17:00:00", "dateReserved": "2019-02-27T00:00:00", "dateUpdated": "2019-06-28T18:49:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:antfin:sofa-hessian:*:*:*:*:*:*:*:*", "matchCriteriaId": "707B2F4C-6EB7-4F46-ADBA-30FB9A0B9F3F", "versionEndIncluding": "4.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn\u2019t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated"}, {"lang": "es", "value": "** EN DISPUTA ** SOFA-Hessian hasta la versi\u00f3n 4.0.2 permite a los atacantes remotos ejecutar comandos arbitrarios a trav\u00e9s de un objeto Hessian serializado especialmente dise\u00f1ado debido a las listas negras de com.caucho.naming.QName y com.sun.org.apache.xpath.internal.objects. XString est\u00e1 mal manejado, relacionado con Gadget de resina. NOTA: El proveedor no considera este problema como una vulnerabilidad porque la lista negra est\u00e1 siendo mal utilizada. SOFA Hessian admite una lista negra personalizada y se public\u00f3 un descargo de responsabilidad para alentar a los usuarios a actualizar la lista negra o usar la funci\u00f3n de lista blanca para sus necesidades espec\u00edficas, ya que la lista negra no se actualiza activamente."}], "id": "CVE-2019-9212", "lastModified": "2024-05-17T01:39:50.493", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-27T17:29:00.427", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/alipay/sofa-hessian/issues/34"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}