| 제목 | Activiti <=7.20 or < 8.8.0 Deserialization |
|---|
| 설명 | A critical remote code execution vulnerability exists in Activiti's process variable serialization system. The application accepts user-controlled Serializable objects via REST or Java APIs, stores them in the database without validation, and subsequently deserializes them using an unrestricted ObjectInputStream. This allows attackers to execute arbitrary code through deserialization gadget chains commonly available in Activiti deployments (Spring Framework, Jakarta Expression Language, Apache Commons Collections).
|
|---|
| 원천 | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/16 |
|---|
| 사용자 | Ana10gy (UID 93358) |
|---|
| 제출 | 2026. 02. 27. AM 08:00 (1 월 ago) |
|---|
| 모더레이션 | 2026. 03. 11. PM 02:36 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 350396 [Alfresco Activiti 까지 7.19/8.8.0 Process Variable Serialization System SerializableType.java deserialize/createObjectInputStream 권한 상승] |
|---|
| 포인트들 | 20 |
|---|