Critical severityOSV Advisory· Published Feb 27, 2019· Updated Aug 4, 2024
CVE-2019-9212
CVE-2019-9212
Description
SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alipay.sofa:hessianMaven | >= 4.0.0, < 4.0.2 | 4.0.2 |
com.alipay.sofa:hessianMaven | < 3.3.6 | 3.3.6 |
Affected products
2- Range: v3.3.0, v3.3.1, v3.3.2, …
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-pfwp-8pq4-g7pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9212ghsaADVISORY
- github.com/alipay/sofa-hessian/issues/34ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.