PT-2026-54850 · Unknown · Mchange-Commons-Java
4Ra1N
+1
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-55153
CVSS v3.1
7.1
High
| Vector | AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
mchange-commons-java versions prior to 0.6.0
Description
The JNDI ObjectFactory implementation
com.mchange.v2.naming.JavaBeanObjectFactory allows the construction of objects from arbitrary classes and the initialization of JavaBean-style properties. This behavior enables JNDI injection and the use of deserialization gadgets, which are sequences of executable code that can be triggered during the deserialization of an object. For instance, configuring the contentType property of a Swing JEditorPane to text/html and the text property to HTML containing a stylesheet <link> can trigger an HTTP GET request to an arbitrary URL. This risk is increased by the ReferenceIndirector, which allows malicious JNDI Reference objects to be smuggled and dereferenced when an application reads a Java-serialized object.Recommendations
Update to version 0.6.0.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mchange-Commons-Java