DerScanner
Home / Vulnerability Database / Java : Non-serializable object in J2EE session
Java

Java : Non-serializable object in J2EE session

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken Authentication
OWASP Top 10 2021
A7-Identification and Authentication Failures
PCI DSS 4.0
6.2.4
CWE
CWE-1028

Overview

Saving serializable object in the session may adversely affect the security of the application.

J2EE applications can use multiple JVMs to improve the reliability and performance. For a user to see multiple virtual machines like one, the application duplicates the HttpSession object, so that if one of the virtual machines is unavailable, the other could replace it without disrupting application work.

For correct operation of this mechanism, the values stored in the session must implement the Serializable interface.

References

  1. Using Sessions and Session Persistence - docs.oracle.com
  2. OWASP Top 10 2017-A2-Broken Authentication
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
LOW

DerScanner Severity Score

Do you want to fix Java : Non-serializable object in J2EE session in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage