/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CVE-2024-46983

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-46983

Severity

9.8

Critical

CVSS V3

Summary

Remote Command Execution(RCE) Vulnerbility in sofa-hessian

Description

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory external/serialize.blacklist.

References

  • https://images.chainguard.dev/security/CGA-6jjq-fcp4-6fxv
  • https://github.com/advisories/GHSA-c459-2m73-67hj
  • https://images.chainguard.dev/security/CGA-m7rc-v737-2qrc
  • https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj

Affected packages

Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSGolden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsChainguard CoursesDocumentationTrust Center

Company

About UsBlogPartnersNewsroomCareersLegal