Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
If a JAX-RS REST endpoint does not specify a @Consumes annotation, it may accept requests with Content-Type ‘application/x-java-serialized-object’. This allows attackers to send serialized Java objects, which could be deserialized by the server without validation.
Impact#
An attacker could exploit this to send malicious serialized objects, potentially leading to arbitrary code execution on the server. This could result in data breaches, server compromise, or further attacks on your infrastructure.