CVE-2023-26779

Vulnerability

CVE-2023-26779 affects CleverStupidDog yf-exam version 1.8.0. The application uses fastjson 1.2.56, a Java library that is known to have a deserialization vulnerability. The bug is triggered when the application deserializes untrusted JSON data without proper filtering, allowing an attacker to control the type of object being deserialized [1][2].

Exploitation

An attacker does not need authentication if the vulnerable endpoint is exposed publicly. The exploit involves sending a crafted JSON payload to the application that triggers the deserialization of a malicious object. Because fastjson 1.2.56 lacks certain security features like @type allowlist, the attacker can instantiate arbitrary Java classes. The reference advisory [1] describes the payload and steps to achieve remote code execution. The attack does not require user interaction or special privileges other than network access to the vulnerable service.

Impact

Successful exploitation leads to remote code execution (RCE) on the server running the yf-exam application. The attacker gains the ability to execute arbitrary system commands with the privileges of the application process. This results in full compromise of the confidentiality, integrity, and availability of the affected system [1][2].

Mitigation

The vendor has not released a patched version of yf-exam as of the given references. The issue is rooted in the use of fastjson 1.2.56; upgrading to a later version of fastjson that includes security fixes (e.g., 1.2.58 or higher) may mitigate the vulnerability. Alternatively, users can implement input validation or disable the insecure deserialization capabilities of fastjson if possible. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [1][2].