Impact
The vulnerability resides in the testConnection endpoint of the ADP Application Developer Platform. An attacker can manipulate the jdbcUrl argument to trigger deserialization of untrusted data, a flaw classified under CWE-502 and weak input validation (CWE-20). This can lead to remote code execution or other forms of arbitrary code execution if the deserialized objects are crafted maliciously. The built‑in deserialization mechanism is exposed to external input, allowing an attacker to send crafted payloads that may be executed on the server, compromising confidentiality, integrity, and availability of the application.
Affected Systems
zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 is affected. The flaw is located in an unknown part of the testConnection component, with no other versions or components listed as impacted.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, but the use of deserialization elevates the risk. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability can be exploited remotely; the attack vector involves sending a specially crafted jdbcUrl parameter. The public exploitation of this flaw confirms its potential impact and that attackers can attempt it from outside the network.
OpenCVE Enrichment