secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)
Matched on "Deserialization of Untrusted Data"
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
- OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
- OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
Depshield will be deprecated soon
Please install our new product, Sonatype Lift with advanced features
Vulnerabilities
DepShield reports that this application's usage of org.apache.logging.log4j:log4j-core:2.7 results in the following vulnerability(s):
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.