Home / Vulnerability Database / Java : No SecurityManager checks in deserialization methods
Java
Java : No SecurityManager checks in deserialization methods
Classification
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
Overview
Security checks via SecurityManager or AccessController are present in the Serializable class constructor but not in deserialization methods.
When calling readObject() and readObjectNoData() the constructor is not called, therefore, security checks defined in the constructor will not be performed.
LOW
DerScanner Severity Score
Do you want to fix Java : No SecurityManager checks in deserialization methods in your application?
See also
Java
Java : Race condition
Java
Java : Text4Shell Vulnerability
Java