CVE-2023-25581

Name of the Vulnerable Software and Affected Versions pac4j versions prior to 4.0.0

Description The vulnerability is a Java deserialization issue that affects systems storing externally controlled values in attributes of the UserProfile class from pac4j-core. It can be exploited by providing an attribute containing a serialized Java object with a special prefix {#sb64} and Base64 encoding, potentially leading to Remote Code Execution (RCE). Although a RestrictedObjectInputStream is in place, it still allows a broad range of Java packages and is potentially exploitable with different gadget chains.

Recommendations To resolve the issue, upgrade to pac4j version 4.0.0 or later. As a temporary workaround, consider restricting the use of the UserProfile class from pac4j-core to minimize the risk of exploitation. Avoid using the pac4j-core version prior to 4.0.0 until a patch is available.