{"containers": {"cna": {"affected": [{"product": "com.alibaba:fastjson", "vendor": "n/a", "versions": [{"lessThan": "1.2.83", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Unknown"}], "datePublic": "2022-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.7, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Deserialization of Untrusted Data", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:53:32", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ddosi.org/fastjson-poc/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/alibaba/fastjson/wiki/security_update_20220523"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/alibaba/fastjson/releases/tag/1.2.83"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "title": "Deserialization of Untrusted Data", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-06-10T20:00:19.390362Z", "ID": "CVE-2022-25845", "STATE": "PUBLIC", "TITLE": "Deserialization of Untrusted Data"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.alibaba:fastjson", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.83"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Unknown"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"}, {"name": "https://www.ddosi.org/fastjson-poc/", "refsource": "MISC", "url": "https://www.ddosi.org/fastjson-poc/"}, {"name": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15", "refsource": "MISC", "url": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"}, {"name": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d", "refsource": "MISC", "url": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"}, {"name": "https://github.com/alibaba/fastjson/wiki/security_update_20220523", "refsource": "MISC", "url": "https://github.com/alibaba/fastjson/wiki/security_update_20220523"}, {"name": "https://github.com/alibaba/fastjson/releases/tag/1.2.83", "refsource": "MISC", "url": "https://github.com/alibaba/fastjson/releases/tag/1.2.83"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:43.620Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.ddosi.org/fastjson-poc/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/alibaba/fastjson/wiki/security_update_20220523"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/alibaba/fastjson/releases/tag/1.2.83"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25845", "datePublished": "2022-06-10T20:05:40.814063Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-16T23:36:49.600Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*", "matchCriteriaId": "0493BADE-C286-47E0-8652-C1C4D39DDAB5", "versionEndExcluding": "1.2.83", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "74810125-09E6-4F27-B541-AFB61112AC56", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)."}, {"lang": "es", "value": "El paquete com.alibaba:fastjson versiones anteriores a 1.2.83, es vulnerable a una Deserializaci\u00f3n de Datos No Confiables al omitir las restricciones de cierre de autoType por defecto, lo cual es posible bajo determinadas condiciones. La explotaci\u00f3n de esta vulnerabilidad permite atacar servidores remotos. Mitigaci\u00f3n: Si la actualizaci\u00f3n no es posible, puede habilitar [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)"}], "id": "CVE-2022-25845", "lastModified": "2023-02-23T17:51:57.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-06-10T20:15:08.117", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"}, {"source": "report@snyk.io", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/alibaba/fastjson/releases/tag/1.2.83"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/alibaba/fastjson/wiki/security_update_20220523"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.ddosi.org/fastjson-poc/"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "fastjson", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}], "bugzilla": {"description": "fastjson: autoType shutdown restriction bypass leads to deserialization", "id": "2100654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2100654"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).", "A flaw was found in com.alibaba:fastjson, a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions."], "mitigation": {"lang": "en:us", "value": "Users who can not upgrade to the fixed version may enable safeMode; this completely disables the autoType function and eliminates the vulnerability risk. [https://github.com/alibaba/fastjson/wiki/fastjson_safemode]"}, "name": "CVE-2022-25845", "package_state": [{"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "fastjson", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "fastjson", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "fastjson", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2022-06-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25845\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25845\nhttps://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"], "threat_severity": "Important", "upstream_fix": "fastjson 1.2.83"}