This repository was archived by the owner on Apr 13, 2023. It is now read-only.
This repository was archived by the owner on Apr 13, 2023. It is now read-only.
Security problem: Ceylon allows to build a deserialization gadget #7471
Description
Hello, the class org.eclipse.ceylon.compiler.java.language.SerializationProxy allows to build a very simple deserialization gadget.
I'm about to submit a merge request to ysoserial (https://github.com/frohoff/ysoserial), see here: supersache/ysoserial@a65671e.
If someone does java.io.ObjectInputStream.readObject() on untrusted data and ceylon-language-1.3.3 is in the class path, an attacker can achieve Remote Code Execution (or execute arbitrary Java code on behalf of the server). I have no clue how and where ceylon is used whether there is a realistic threat of exploitation.
I wanted to give you the opportunity to address this before the exploit code becomes public.