DerScanner
Home / Vulnerability Database / Kotlin : No SecurityManager checks in deserialization methods
Kotlin

Kotlin : No SecurityManager checks in deserialization methods

Classification

OWASP Top 10 2017
A6-Security MisconfigurationA8-Insecure Deserialization
OWASP Top 10 2021
A5-Security MisconfigurationA8-Software and Data Integrity Failures
OWASP MASVS
V6: 6.8.(L1/L2/L1+R/L2+R)

Overview

Security checks via SecurityManager or AccessController are present in the Serializable class constructor but not in deserialization methods.

When calling readObject() and readObjectNoData() the constructor is not called, therefore, security checks defined in the constructor will not be performed.

References

  1. SecurityManager - docs.oracle.com
  2. Secure Coding Guidelines for Java SE
  3. OWASP Top 10 2017-A8-Insecure Deserialization
  4. OWASP Top 10 2017-A6-Security Misconfiguration
LOW

DerScanner Severity Score

Do you want to fix Kotlin : No SecurityManager checks in deserialization methods in your application?

See also

Kotlin

Kotlin : Missing required cryptographic step

Kotlin

Kotlin : Logging into system output

Kotlin

Kotlin : Call of notify() in synchronized block