SB20231004125 - Deserialization of untrusted data in redisson

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20231004125

SB20231004125 - Deserialization of untrusted data in redisson

Published: October 4, 2023 Updated: April 28, 2025

Security Bulletin ID SB20231004125
CSH Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Deserialization of Untrusted Data (CVE-ID: CVE-2023-42809)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. A remote attacker can manage to trick clients into communicating with a malicious server to include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in.


Remediation

Install update from vendor's website.

References