The ObjectSerializationDecoder in Apache MINA uses Java's native deserialization protocol to process incoming serialized data but lacks security checks, exposing it to remote code execution.
This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.
Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance using new methods.
Users of these products are strongly advised to update their installations to the latest versions as soon as possible to safeguard against potential threats.
Collection
[
|
...
]