Insecure Deserialization Remote Code Execution
Impact: High
Description
Insecure deserialization occurs when an application deserializes a user-supplied object string without checking its integrity. It allows attackers to manipulate the system state and execute remote commands.
Recommendation
Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.
References
👉 You might also like:
Insecure Deserialization - Vulnerability
Serialized Object Found - Vulnerability
HTTP Protocol Stack Remote Code Execution Vulnerability (DOS) - CVE-2021-31166
Joomla Remote Command Execution - Vulnerability
Last updated on October 10, 2021