How severe is CVE-2023-25581?

This vulnerability has a severity rating of CRITICAL with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2023-25581?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2023-25581

CRITICAL Year: 2023

Weakness Type

CWE-502

View all →

Vulnerability Description

pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2018-19276

CRITICAL

CVSS:10.0(Critical)

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a...

CWE-5022018

CVE-2018-3972

CRITICAL

CVSS:10.0(Critical)

An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrenci...

CWE-5022018

CVE-2019-19810

CRITICAL

CVSS:10.0(Critical)

Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending craft...

CWE-5022019

CVE-2020-15148

CRITICAL

CVSS:10.0(Critical)

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workarou...

CWE-5022020

CVE-2021-37181

CRITICAL

CVSS:10.0(Critical)

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Comp...

CWE-5022021

CVE-2022-38650

CRITICAL

CVSS:10.0(Critical)

A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to run arbitrary code or malware wit...

CWE-5022022

CVE-2023-25581

Vulnerability Description

Related Vulnerabilities

CVE-2018-19276

CVE-2018-3972

CVE-2019-19810

CVE-2020-15148

CVE-2021-37181

CVE-2022-38650