CVE-2016-1000031: Remote Code Execution

October 25, 2016 (updated May 24, 2019)

There exists a Java Object in this package that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application’s implementation of the FileUpload library.

References

issues.apache.org/jira/browse/FILEUPLOAD-279
nvd.nist.gov/vuln/detail/CVE-2016-1000031
www.tenable.com/security/research/tra-2016-12

Detect and mitigate CVE-2016-1000031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →