6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV):
- Attack complexity (AC):
- Privileges required (PR):
- User interaction (UI):
- Scope (S):
- Confidentiality impact (C):
- Integrity impact (I):
- Availability impact (A):
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
11 packages
- libsForQt5.kactivities
- plasma5Packages.kactivities
- libsForQt5.kactivities-stats
- kdePackages.plasma-activities
- gnomeExtensions.auto-activities
- gnomeExtensions.logo-activities
- plasma5Packages.kactivities-stats
- kdePackages.plasma-activities-stats
- gnomeExtensions.hide-activities-button
- gnomeExtensions.middle-click-activities
- gnomeExtensions.double-click-activities-to-app-grid
- @LeSuisse dismissed
Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
- VDB-350396 | Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization vdb-entry technical-description
- VDB-350396 | CTI Indicators (IOB, IOC, IOA) signature permissions-required
- Submit #768942 | Activiti <=7.20 or < 8.8.0 Deserialization third-party-advisory
- https://github.com/AnalogyC0de/public_exp/issues/16 issue-tracking exploit
Affected products
- ==7.16
- ==7.2
- ==7.7
- ==7.8
- ==8.0
- ==8.2
- ==7.0
- ==7.6
- ==7.15
- ==7.10
- ==7.4
- ==7.18
- ==7.11
- ==8.5
- ==7.17
- ==7.1
- ==7.9
- ==7.14
- ==7.5
- ==8.6
- ==7.19
- ==8.7
- ==8.8.0
- ==7.3
- ==8.1
- ==7.12
- ==7.13
- ==8.3
- ==8.4
Ignored packages (11)
pkgs.libsForQt5.kactivities
None
pkgs.plasma5Packages.kactivities
None
pkgs.libsForQt5.kactivities-stats
None
pkgs.kdePackages.plasma-activities
Core components for the KDE's Activities System
pkgs.gnomeExtensions.auto-activities
Show activities overview when there are no windows, or hide it when there are new windows.
pkgs.gnomeExtensions.logo-activities
Show icon and label for panel Activities.
pkgs.plasma5Packages.kactivities-stats
None
pkgs.kdePackages.plasma-activities-stats
A library for accessing the usage data collected by the activities system.
pkgs.gnomeExtensions.middle-click-activities
Opens Activities Overview on middle mouse button click in top bar
pkgs.gnomeExtensions.double-click-activities-to-app-grid
Open the application grid by double clicking the activities button similarly to the super key.