| タイトル | WVP PRO wvp-GB28181-pro 2.7.4 Deserialization |
|---|
| 説明 | The application's Redis template configuration (`RedisTemplateConfig.java`) uses `GenericFastJsonRedisSerializer` from FastJSON 2.x as the global serializer for Redis value operations. This serializer enables `JSONReader.Feature.SupportAutoType` by default, which allows arbitrary class instantiation during deserialization based on the `@type` field in JSON data.
An attacker can exploit this by:
1. Writing malicious JSON containing a `@type` annotation to Redis (via any API endpoint that stores data in Redis)
2. Waiting for any service to read from the affected Redis key
3. Triggering automatic deserialization that instantiates the attacker-specified class
4. Achieving remote code execution through known FastJSON gadget chains
This is a critical framework-level vulnerability because the unsafe configuration is global, affecting all Redis operations throughout the application.
|
|---|
| ソース | ⚠️ https://github.com/wing3e/public_exp/issues/1 |
|---|
| ユーザー | Winegee (UID 96308) |
|---|
| 送信 | 2026年03月10日 11:32 (28 日 ago) |
|---|
| モデレーション | 2026年03月25日 17:28 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 353191 [648540858 wvp-GB28181-pro 迄 2.7.4 API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer 特権昇格] |
|---|
| ポイント | 20 |
|---|