CVE-2024-46983

Name of the Vulnerable Software and Affected Versions sofahessian versions prior to 3.5.5

Description The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. However, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Recommendations To resolve the issue, upgrade to sofahessian version 3.5.5. For users unable to upgrade, maintain a blacklist in the directory external/serialize.blacklist as a temporary workaround.