Description

It was determined that your web application is performing Java object deserialization of user-supplied data. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. Consult Web references section for more information about this issue.

Remediation

Java object deserialization should not be performed on user-supplied data.

References

The Java Deserialization Bug

AppSecCali 2015 - Marshalling Pickles

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common?

Related Vulnerabilities

PHP object deserialization of user-supplied data

WordPress Plugin Export Users to CSV CSV Injection (1.4.2)

MongoDb Improper Input Validation Vulnerability (CVE-2012-6619)

Oracle Database Server Improper Input Validation Vulnerability (CVE-2020-1953)

WordPress Plugin Events Manager CSV Injection (5.9.7.1)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Insecure Deserialization