| tiêu đề | Oinone Oinone <= 7.2.0 Fastjson Remote Code Execution |
|---|
| Mô tả | Oinone AI Low-Code Development Framework is a 100% metadata-driven framework. This vulnerability is caused by a combination of a configuration flaw in the Oinone framework's underlying parser and GraphQL type conversion logic. In PamirsParserConfig.java, the system inherits Fastjson's ParserConfig and explicitly calls this.setAutoTypeSupport(true). This directly disables Fastjson's core security defense, allowing the instantiation of arbitrary classes via the @type identifier in JSON.
When Oinone processes GraphQL requests, if the backend defined parameter type is Map but the attacker provides a String, the system automatically calls JsonUtils.parseMap(value) for parsing. Attackers can leverage the appConfigQuery interface (which is on the authentication-free whitelist) to pass a malicious JSON string (e.g., containing the JdbcRowSetImpl class) via nested HashMap. When the parser processes nested objects, it instantiates the malicious class based on @type and calls its Setter methods, thereby triggering a JNDI connection to load and execute remote malicious bytecode in memory. |
|---|
| Nguồn | ⚠️ https://github.com/SourByte05/SourByte-Lab/issues/13 |
|---|
| Người dùng | sourbyte (UID 94279) |
|---|
| Đệ trình | 22/04/2026 10:21 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 16/05/2026 12:30 (24 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 364323 [Oinone Pamirs đến 7.2.0 appConfigQuery Interface PamirsParserConfig.java JsonUtils.parseMap nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|