096 – Insecure deserialization

Description

The system deserializes objects without first validating their content nor casting them to a specific type.

Impact

Enable to control the application execution flow.

Recommendation

Validate the incoming serialized objects and only deserialize them if they meet expected properties.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 173 - Discard unsafe inputs
• 321 - Avoid deserializing untrusted data

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/12