-
Task
-
Resolution: Unresolved
-
Neutral
-
None
-
None
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
expand the note:
NOTE: To mitigate attacks against deserializers, the app only deserializes trusted data.
DRAFT:
Simply make whitelistedKeyClasses configurable in /modules/cache-browser-app/config/whitelistedKeyClasses and user only has to populate the whitelisted classes to be serialized by the endpoint and cache app via info.magnolia.cache.browser.CacheBrowserAppModule. So we can prevent unwanted class is tried to be deserialized and thus execution of malicious code.
Acceptance criteria
- documents
-
MGNLCACHE-165 CacheEndpoint is potentially vulnerable to RCE
- Closed