CVE-2023-41331 : SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remo

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

Published 2023-09-12 20:15:10

Updated 2023-09-15 19:23:36

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-41331

Sofastack » Sofarpc
Versions before (<) 5.11.0
cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-41331

EPSS FAQ

5.83%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-41331

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-41331

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-41331

https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0

Release v5.11.0 Released · sofastack/sofa-rpc · GitHub
Release Notes
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86

Remote Command Execution(RCE) Vulnerbility · Advisory · sofastack/sofa-rpc · GitHub
Mitigation;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-41331

Products affected by CVE-2023-41331

Exploit prediction scoring system (EPSS) score for CVE-2023-41331

CVSS scores for CVE-2023-41331

CWE ids for CVE-2023-41331

References for CVE-2023-41331