I know that there are no activities happening around yuicompressor but still I thought to bring it to your notice. I am still not clear whether I am reporting it to the correct persons but let me proceed anyway.
YUICompressor packages classes from mozilla rhino project in which NativeJavaObject can be used to trigger Remote Code Execution when yuicompresspor.x.jar is in an application's classpath and that application has an endpoint to receive serialised data.
Code snippet from NativeJavaObject's readObject method:
The above method allows one to inject new class definition into the JVM and while referring the injected class again from another serialised object, new instance of the already injected object will be created which leads to Remote Code Execution.
I think you guys need to provide users a quick fix or at least you have to notify your users not to use yuicompressor anymore.
Hi There,
I know that there are no activities happening around yuicompressor but still I thought to bring it to your notice. I am still not clear whether I am reporting it to the correct persons but let me proceed anyway.
YUICompressor packages classes from mozilla rhino project in which NativeJavaObject can be used to trigger Remote Code Execution when yuicompresspor.x.jar is in an application's classpath and that application has an endpoint to receive serialised data.
Code snippet from NativeJavaObject's readObject method:
The above method allows one to inject new class definition into the JVM and while referring the injected class again from another serialised object, new instance of the already injected object will be created which leads to Remote Code Execution.
I think you guys need to provide users a quick fix or at least you have to notify your users not to use yuicompressor anymore.