Headline
GHSA-7c5v-895v-w4q5: jooby-pac4j: deserialization of untrusted data
Impact
Versions after 2.x and before 3.x of io.jooby:jooby-pac4j can cause deserialization of untrusted data
Patches
- 2.17.0 (2.x)
- 3.7.0 (3.x)
Workarounds
- Not using io.jooby:jooby-pac4j until it gets patches.
- Check what values you put/save on session
References
Version 2.x:
https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L39-L45
Version 3.x: https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84
Cause
In module pac4j io.jooby.internal.pac4j.SessionStoreImpl#get , it is used to handle sessions , and trying to get key value. In strToObject function ,it’s trying to deserialize value when value starts with “b64~” , which might cause deserialization of untrusted data.
modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java
Here’s a small demo using SessionStoreImpl#get to handle sessions ,and user can pass parameters.
And following below is exploiting successfully(execute calculator)
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.