Home / Vulnerability Database / Scala : No SecurityManager checks in deserialization methods

Scala

Scala : No SecurityManager checks in deserialization methods

Classification

OWASP Top 10 2017

A6-Security Misconfiguration A8-Insecure Deserialization

OWASP Top 10 2021

A5-Security Misconfiguration A8-Software and Data Integrity Failures

OWASP MASVS

V6: 6.8.(L1/L2/L1+R/L2+R)

Overview

Security checks via SecurityManager or AccessController are present in the Serializable class constructor but not in deserialization methods.

When calling readObject() and readObjectNoData() the constructor is not called, therefore, security checks defined in the constructor will not be performed.

References

SecurityManager - docs.oracle.com
Secure Coding Guidelines for Java SE
OWASP Top 10 2017-A8-Insecure Deserialization
OWASP Top 10 2017-A6-Security Misconfiguration

LOW

Scala : No SecurityManager checks in deserialization methods

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Scala : No SecurityManager checks in deserialization methods in your application?

See also

Scala : Unreleased resource stream

Scala : Multiple loggers in same class

Scala : Insufficient encryption key length