Vulnerability Details CVE-2024-46983
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 37.7%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2024-46983
-
cpe:2.3:a:antfin:sofa-hessian:-
-
cpe:2.3:a:antfin:sofa-hessian:3.3.0
-
cpe:2.3:a:antfin:sofa-hessian:3.3.1
-
cpe:2.3:a:antfin:sofa-hessian:3.3.10
-
cpe:2.3:a:antfin:sofa-hessian:3.3.2
-
cpe:2.3:a:antfin:sofa-hessian:3.3.3
-
cpe:2.3:a:antfin:sofa-hessian:3.3.4
-
cpe:2.3:a:antfin:sofa-hessian:3.3.5
-
cpe:2.3:a:antfin:sofa-hessian:3.3.6
-
cpe:2.3:a:antfin:sofa-hessian:3.3.7
-
cpe:2.3:a:antfin:sofa-hessian:3.3.8
-
cpe:2.3:a:antfin:sofa-hessian:3.3.9
-
cpe:2.3:a:antfin:sofa-hessian:3.4.0
-
cpe:2.3:a:antfin:sofa-hessian:3.5.0
-
cpe:2.3:a:antfin:sofa-hessian:3.5.2
-
cpe:2.3:a:antfin:sofa-hessian:3.5.3
-
cpe:2.3:a:antfin:sofa-hessian:3.5.4