CVE-2023-25581
Java deserialization vulnerability in pac4j-core (Maven)
What is CVE-2023-25581 About?
This vulnerability is a Java deserialization flaw in `pac4j-core` prior to version 4.0.0, affecting systems that store externally controlled values in `UserProfile` attributes. It allows an attacker to inject serialized Java objects, potentially leading to Remote Code Execution (RCE) despite some restrictions. Exploitation can be achieved by providing specially crafted Base64-encoded serialized objects.
Affected Software
Technical Details
The Java deserialization vulnerability exists in pac4j-core when external values are stored in UserProfile attributes. An attacker can inject a specially crafted string with the prefix {#sb64} followed by a Base64-encoded serialized Java object into these attributes. When the application attempts to deserialize this attribute, a RestrictedObjectInputStream is used, which restricts some deserialized classes but a broad range of Java packages remain permissible. This allows an attacker to utilize various Java gadget chains to achieve arbitrary code execution, including RCE, by leveraging classes that can perform dangerous operations during deserialization.
What is the Impact of CVE-2023-25581?
Successful exploitation may allow attackers to execute arbitrary code remotely, take full control of the affected system, or cause denial of service.
What is the Exploitability of CVE-2023-25581?
Exploitation complexity is moderate to high, requiring the attacker to understand Java deserialization gadget chains and how to craft suitable serialized objects. The attacker must have the ability to control or influence values stored in UserProfile attributes. No direct authentication is bypassed, but if authenticated users can control these attributes, they can exploit it. Privilege requirements are typically those of the application context where deserialization occurs. This is often a remote vulnerability, but requires specific input channels. The primary risk factor is applications storing untrusted or user-supplied data directly into UserProfile attributes without thorough validation or ensuring that no dangerous classes can be deserialized.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| p33d | Link | PoC for CVE-2023-25581 |
What are the Available Fixes for CVE-2023-25581?
Available Upgrade Options
- org.pac4j:pac4j-core
- <4.0.0 → Upgrade to 4.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/frohoff/ysoserial
- https://github.com/pac4j/pac4j
- https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/
- https://securitylab.github.com/advisories/GHSL-2022-085_pac4j
- https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95
- https://portswigger.net/web-security/deserialization
- https://nvd.nist.gov/vuln/detail/CVE-2023-25581
- https://osv.dev/vulnerability/GHSA-76mw-6p95-x9x5
- https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95
- https://securitylab.github.com/advisories
What are Similar Vulnerabilities to CVE-2023-25581?
Similar Vulnerabilities: CVE-2023-25157 , CVE-2023-21931 , CVE-2023-21837 , CVE-2022-21447 , CVE-2021-44228
