| 제목 | WVP PRO wvp-GB28181-pro 2.7.4 Deserialization |
|---|
| 설명 | The application's Redis template configuration (`RedisTemplateConfig.java`) uses `GenericFastJsonRedisSerializer` from FastJSON 2.x as the global serializer for Redis value operations. This serializer enables `JSONReader.Feature.SupportAutoType` by default, which allows arbitrary class instantiation during deserialization based on the `@type` field in JSON data.
An attacker can exploit this by:
1. Writing malicious JSON containing a `@type` annotation to Redis (via any API endpoint that stores data in Redis)
2. Waiting for any service to read from the affected Redis key
3. Triggering automatic deserialization that instantiates the attacker-specified class
4. Achieving remote code execution through known FastJSON gadget chains
This is a critical framework-level vulnerability because the unsafe configuration is global, affecting all Redis operations throughout the application.
|
|---|
| 원천 | ⚠️ https://github.com/wing3e/public_exp/issues/1 |
|---|
| 사용자 | Winegee (UID 96308) |
|---|
| 제출 | 2026. 03. 10. AM 11:32 (27 날 ago) |
|---|
| 모더레이션 | 2026. 03. 25. PM 05:28 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 353191 [648540858 wvp-GB28181-pro 까지 2.7.4 API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer 권한 상승] |
|---|
| 포인트들 | 20 |
|---|