Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Passing arbitrary objects as parameters in Java RMI interfaces allows untrusted data to be deserialized, which can enable attackers to send crafted objects that exploit your system. Instead, use simple types (like IDs) and avoid deserializing objects from clients.
Impact#
If exploited, an attacker could execute arbitrary code on your server, gain unauthorized access, or take control of the system. This can lead to data breaches, service disruption, or full system compromise, putting both your application and organization at serious risk.