Impact
Decoding objects serialized in XML (Configuration, History, plugin Configuration) can result in arbitrary execution. This is especially true when using the RESTful API call to set the configuration. Note that this requires the use of bearer token if using outside of localhost.
Discovered by Bobby Rauch (Accenture).
Patches
The XML decoders used in the project were patched in 1.6.9 and later.
Workarounds
N/A
References
#3526
#3527
#3528
Impact
Decoding objects serialized in XML (Configuration, History, plugin Configuration) can result in arbitrary execution. This is especially true when using the RESTful API call to set the configuration. Note that this requires the use of bearer token if using outside of localhost.
Discovered by Bobby Rauch (Accenture).
Patches
The XML decoders used in the project were patched in 1.6.9 and later.
Workarounds
N/A
References
#3526
#3527
#3528