Home > Vulnerability Database > CVE-2023-41331

Mend.io Vulnerability Database

CVE-2023-41331

Good to know:

Date: September 12, 2023

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

Language: Java

Severity Score

9.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-41331

Url: https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86

Url: https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0

Url: https://www.mend.io/vulnerability-database/CVE-2023-41331

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

Top Fix

Upgrade Version

Upgrade to version com.alipay.sofa:sofa-rpc-all:5.11.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-41331

Good to know:

Date: September 12, 2023

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?