New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invocation
should not invoke arbitrary method
#3115
Comments
This comment was marked as outdated.
This comment was marked as outdated.
I would like to know if I want to report this vulnerability, which email address should I provide the information to? @harawata |
Before I let you know my email address, let me check a few things. For JDK's deserialization vulnerability, you should use JEP-290 filter. See #2079 . I have received a report about RCE when using SQL provider. |
@harawata , |
Okay, send it to my Gmail. The account name is the same as GitHub's. |
Invocation
should not invoke arbitrary method
If an application developer passes non-sanitized string to OGNL or similar technologies (which you should never do), an attacker can use
org.apache.ibatis.plugin.Invocation
in the app's classpath to execute arbitrary code (RCE).The text was updated successfully, but these errors were encountered: