FASTJSON Remote Code Execution Vulnerability
Alibaba has issued a Fastjson risk notice remote code execution vulnerability which affects versions 1.2.80 and below. The default autoType closure restriction can be bypassed under certain conditions. An attacker could exploit this vulnerability to achieve remote code execution on the target machine.
Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.
The CVE for the FASTJSON remote code execution vulnerability is not yet available.
- Fastjson ≤ 1.2.80
- Fastjson 1.2.83
Configure in code:
- Use JVM startup parameters
- Configure through the properties file