PT-2020-15644 · Taoensso · Taoensso Nippy

Published

2020-09-11

Updated

2022-02-10

CVE-2020-24164

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Taoensso Nippy versions prior to 2.14.2

Description A deserialization flaw is present, allowing an attacker to create a malicious payload that can execute arbitrary code when deserialized. This issue arises due to the automatic use of the Java Serializable interface.

Recommendations For versions prior to 2.14.2, update to version 2.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of untrusted data to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2020-24164

GHSA-P5GM-FGFX-HR7H

Affected Products

Taoensso Nippy

PT-2020-15644 · Taoensso · Taoensso Nippy

CVE-2020-24164

Weakness Enumeration

Related Identifiers

Affected Products

References · 5