提出 #768942: Activiti <=7.20 or < 8.8.0 Deserialization情報

タイトルActiviti <=7.20 or < 8.8.0 Deserialization
説明A critical remote code execution vulnerability exists in Activiti's process variable serialization system. The application accepts user-controlled Serializable objects via REST or Java APIs, stores them in the database without validation, and subsequently deserializes them using an unrestricted ObjectInputStream. This allows attackers to execute arbitrary code through deserialization gadget chains commonly available in Activiti deployments (Spring Framework, Jakarta Expression Language, Apache Commons Collections).
ソース⚠️ https://github.com/AnalogyC0de/public_exp/issues/16
ユーザー
 Ana10gy (UID 93358)
送信2026年02月27日 08:00 (1 月 ago)
モデレーション2026年03月11日 14:36 (12 days later)
ステータス承諾済み
VulDBエントリ350396 [Alfresco Activiti 迄 7.19/8.8.0 Process Variable Serialization System SerializableType.java deserialize/createObjectInputStream 特権昇格]
ポイント20

概要

Might our Artificial Intelligence support you?

Check our Alexa App!