- 邮箱: echo ‘OTI5ODExMzEzQHFxLmNvbQo=’|base64 -d
热爱阅读Java开源项目源码,学习同道们的优秀杰作,吸纳他们的设计和思想,并顺手审计安全漏洞,捡捡漏洞。兴趣使然,可以非常专注而不觉任何痛苦的持续长时间写代码,反正就是越写越兴奋,时常为了生活要很克制写代码的欲望。我的梦想是设计开发出一款著名全世界的开源Java系统。
随手贡献的一些安全漏洞编号
Alibaba-Sentinel
- CVE-2021-44139: sentinel-dashboard component pre-authentication SSRF
h2\h2database
- CVE-2021-23463: h2\h2database XML External Entity (XXE) Injection
Spring Cloud Netflix Hystrix Dashboard
- CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability
Alibaba-Druid
- CVE-2021-33800: Directory Traversal Vulnerability
Alibaba-Nacos
- CVE-2021-29441: Authentication bypass for specific endpoint
- CVE-2021-29442: Authentication Bypass
Apache-Dubbo
- CVE-2021-25641: Potential deserialization id tampering from network
WebLogic
- CVE-2021-2136: IIOP RCE
- CVE-2021-2344, CVE-2021-2371, CVE-2021-2376, CVE-2021-2378: Memory DoS
XStream
- CVE-2021-21341: XStream can cause a Denial of Service
- CVE-2021-21347: XStream is vulnerable to an Arbitrary Code Execution attack
- CVE-2021-21348: XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
- CVE-2021-21349: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
- CVE-2021-21350: XStream is vulnerable to an Arbitrary Code Execution attack
Spring Cloud Netflix Zuul
- CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability
Apache Ambari
- CVE-2020-13924: Arbitrary File Download Vulnerability
Apache Pulsar Manager
- CVE-2020-17520: bypass pulsar-manager’s admin
Apache-Tomcat
- CVE-2020-9484: path-traversal/Deserialization-RCE
FasterXML/jackson-databind
- CVE-2020-8840: xbean-reflect/JNDI gadget
- CVE-2020-9546: shaded-hikari-config/JNDI gadget
- CVE-2020-9547: ibatis-sqlma/JNDI gadget
- CVE-2020-9548: anteros-core/JNDI gadget
- CVE-2020-10969: javax.swing/SSRF gadget
- CVE-2020-10672: aries.transaction.jms/JNDI gadget
- CVE-2020-10673: caucho-quercus/JNDI gadget