CVE-2021-38241 – Ruoyi硬编码密钥导致Shiro反序列化
|
651
|
0
|
CVE,安全研究

139 字
|
1 分钟内

CVE-2021-38241 - Ruoyi硬编码密钥导致Shiro反序列化

Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.

Ruoyi management system uses the Shiro framework, but uses the default key, which allows attackers to use the Shiro deserialization vulnerability for remote command execution.

[VulnerabilityType Other]

RCE (Remote command execution)

[Vendor of Product]

Ruoyi https://gitee.com/y_project/RuoYi

[Affected Product Code Base]

Ruoyi管理系统 < 4.6.1 - All versions

[Attack Type]

Remote

[Impact Code execution]

true

[Attack Vectors]

Shiro deserialization's poc is effective.Use AES GCM's poc.

[Reference]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
http://www.ruoyi.vip/
https://gitee.com/y_project/RuoYi

[Discoverer]

du1ge

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






下一篇