关于我这个彩笔

  • 邮箱: echo ‘OTI5ODExMzEzQHFxLmNvbQo=’|base64 -d

若干年前资深CTF电竞py路选手,在丁香园做了几年Java基础组件的研发(开源套壳),本没打算搞安全(业余爱好),感谢面试官的支持、信任,转身一变到了某不能说的厂做安全研发工程师(写写代码扫描、WAF后端、各种后端),专注于Java生态安全,既写的来代码,又挖的了漏洞,还会吹逼、烧饭!

随手贡献的一些安全漏洞编号

Alibaba-Nacos

WebLogic

XStream

  • CVE-2021-21341: XStream can cause a Denial of Service
  • CVE-2021-21347: XStream is vulnerable to an Arbitrary Code Execution attack
  • CVE-2021-21348: XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
  • CVE-2021-21349: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  • CVE-2021-21350: XStream is vulnerable to an Arbitrary Code Execution attack

Spring Cloud Netflix Zuul

  • CVE-2021-22113: Spring Cloud Netflix Zuul “Sensitive Headers” Bypass Vulnerability

Apache Ambari

Apache Pulsar Manager

Apache-Tomcat

FasterXML/jackson-databind