{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-14T16:13:33.307Z", "datePublished": "2023-10-04T19:18:39.875Z", "dateUpdated": "2024-09-19T18:59:38.518Z"}, "containers": {"cna": {"title": "Redisson unsafe deserialization vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/"}, {"name": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe"}], "affected": [{"vendor": "redisson", "product": "redisson", "versions": [{"version": "< 3.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-04T19:18:39.875Z"}, "descriptions": [{"lang": "en", "value": "Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.\n\nSome post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization."}], "source": {"advisory": "GHSA-4hvc-qwr2-f8rv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.258Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/"}, {"name": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T18:58:31.707910Z", "id": "CVE-2023-42809", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T18:59:38.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "name": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "name": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.258Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42809", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-19T18:58:31.707910Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T18:58:47.916Z"}}], "cna": {"title": "Redisson unsafe deserialization vulnerability", "source": {"advisory": "GHSA-4hvc-qwr2-f8rv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "redisson", "product": "redisson", "versions": [{"status": "affected", "version": "< 3.22.0"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "name": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "name": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.\n\nSome post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-04T19:18:39.875Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42809", "state": "PUBLISHED", "dateUpdated": "2024-09-19T18:59:38.518Z", "dateReserved": "2023-09-14T16:13:33.307Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-04T19:18:39.875Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redisson:redisson:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E83B6EC-FF08-4044-9EAA-769C599F95BA", "versionEndExcluding": "3.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.\n\nSome post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization."}, {"lang": "es", "value": "Redisson es un cliente Java Redis que utiliza el framework Netty. Antes de la versi\u00f3n 3.22.0, algunos de los mensajes recibidos del servidor Redis contienen objetos Java que el cliente deserializa sin mayor validaci\u00f3n. Los atacantes que logran enga\u00f1ar a los clientes para que se comuniquen con un servidor malicioso pueden incluir objetos especialmente manipulados en sus respuestas que, una vez deserializados por el cliente, lo obligan a ejecutar c\u00f3digo arbitrario. Se puede abusar de esto para tomar el control de la m\u00e1quina en la que se ejecuta el cliente. La versi\u00f3n 3.22.0 contiene un parche para este problema. Se encuentran disponibles algunos consejos posteriores a la reparaci\u00f3n. NO utilice `Kryo5Codec` como c\u00f3dec de deserializaci\u00f3n, ya que a\u00fan es vulnerable a la deserializaci\u00f3n arbitraria de objetos debido a la llamada `setRegistrationRequired(false)`. Por el contrario, \"KryoCodec\" es seguro de usar. La soluci\u00f3n aplicada a `SerializationCodec` solo consiste en agregar una lista opcional de nombres de clases de permitidos, aunque se recomienda que este comportamiento sea el predeterminado. Al crear una instancia de `SerializationCodec`, utilice el constructor `SerializationCodec(ClassLoader classLoader, Set AllowClasses)` para restringir las clases permitidas para la deserializaci\u00f3n."}], "id": "CVE-2023-42809", "lastModified": "2023-10-10T17:21:16.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-04T20:15:10.263", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "org.redisson:redisson: Redisson vulnerable to Deserialization of Untrusted Data", "id": "2302986", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302986"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.\nSome post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization.", "Deserialization of untrusted data vulnerability was found in Redisson, as some messages received from the Redis server contain Java objects that the client deserializes without further validation. This flaw allows attackers who manage to trick clients into communicating with a malicious server to include specially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This issue can be exploited to take control of the machine the client is running in."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-42809", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "org.redisson/redisson", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.redisson/redisson", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.redisson/redisson", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "org.redisson/redisson", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2023-06-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-42809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-42809\nhttps://github.com/redisson/redisson\nhttps://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe\nhttps://securitylab.github.com/advisories/GHSL-2023-053_Redisson"], "statement": "This vulnerability in Redisson is a important severity issue because it directly enables remote code execution (RCE) by allowing an attacker to inject malicious objects into the deserialization process. Since deserialization occurs automatically and without proper validation, an attacker can exploit this flaw to execute arbitrary code on the client machine, potentially leading to full system compromise. The impact is particularly severe as it bypasses traditional security controls and can be leveraged to escalate privileges, exfiltrate sensitive data, or disrupt services, making it a significant threat to the security and integrity of affected systems.", "threat_severity": "Important"}