CVEbaza.plSłownik CWECWE-470
Common Weakness Enumeration

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Kategoria: BaseCVE: 73
Opis

Produkt wykorzystuje zewnętrzne dane wejściowe wraz z refleksją do wyboru, które klasy lub kod mają być użyte, ale nie zapobiega wystarczająco danych wejściowych w wyborze niewłaściwych klas lub kodu. Pozwala to atakującemu na wykonanie arbitralnego kodu poprzez manipulację parametrami wejściowymi.

Description (EN)

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Podatności CVE z CWE-470 (73)
10.0
CVSS
CRITICAL
CVE-2025-34393

Krytyczna podatność w komponencie Barracuda Service Center (rozwiązanie RMM) umożliwia nieuwierzytelnionemu atakującemu zdalne wykonanie kodu. Wynika z braku prawidłowej weryfikacji nazwy kontrolowanej przez atakującego usługi WSDL, co prowadzi do insecure reflection.

pub. 2025-12-10
9.8
CVSS
CRITICAL
CVE-2026-42027

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 1.9.5, before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation:  * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.

pub. 2026-05-04
9.8
CVSS
CRITICAL
CVE-2025-53693

Podatność klasy Unsafe Reflection w Sitecore Experience Manager i Experience Platform pozwala nieuwierzytelnionemu atakującemu na zatrucie pamięci podręcznej (cache poisoning). Krytyczny wynik CVSS 9.8 wskazuje na możliwość poważnych konsekwencji, w tym potencjalnego RCE, bez konieczności posiadania jakichkolwiek uprawnień.

pub. 2025-09-03
9.8
CVSS
CRITICAL
CVE-2023-6943

Podatność klasy Unsafe Reflection (CWE-470) w wielu produktach Mitsubishi Electric umożliwia zdalnemu, nieuwierzytelnionemu atakującemu wykonanie dowolnego kodu na atakowanym systemie. Krytyczny poziom zagrożenia (CVSS 9.8) wynika z braku wymagań co do uwierzytelnienia i możliwości pełnego przejęcia systemu.

pub. 2024-01-30
9.8
CVSS
CRITICAL
CVE-2021-31522

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

pub. 2022-01-06
9.8
CVSS
CRITICAL
CVE-2021-21985

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

pub. 2021-05-26🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2019-1003040

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

pub. 2019-03-28
9.8
CVSS
CRITICAL
CVE-2019-1003041

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

pub. 2019-03-28
9.8
CVSS
CRITICAL
CVE-2018-1000613

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

pub. 2018-07-09
9.2
CVSS
CRITICAL
CVE-2026-8178

Amazon Redshift JDBC Driver w wersjach wcześniejszych niż 2.2.2 może ładować i wykonywać dowolne klasy podczas przetwarzania parametrów URL połączenia JDBC. Podatność umożliwia wykonanie kodu w kontekście aplikacji przez osobę mogącą wpłynąć na treść URL połączenia.

pub. 2026-05-08
9.1
CVSS
CRITICAL
CVE-2025-63690

W aplikacji pig-mesh Pig w wersjach 3.8.2 i wcześniejszych możliwe jest zdalne wykonanie dowolnego kodu (RCE) poprzez mechanizm zarządzania zadaniami zaplanowanymi (Quartz). Podatność jest szczególnie groźna, ponieważ umożliwia pełną kompromitację serwera.

pub. 2025-11-07
9.1
CVSS
CRITICAL
CVE-2024-4990

W Yii2 w wersji 2.0.48 bazowa klasa Component zawiera podatność (CWE-470) umożliwiającą atakującemu zdalnie i bez uwierzytelnienia inicjalizację dowolnych klas PHP. W zależności od zainstalowanych zależności może to prowadzić do wykonania kodu, wycieku danych lub nieautoryzowanego dostępu.

pub. 2025-03-20
9.1
CVSS
CRITICAL
CVE-2024-8015

Podatność w Progress Telerik Report Server umożliwia zdalne wykonanie kodu (RCE) poprzez wstrzykiwanie obiektów wynikające z niebezpiecznego rozwiązywania typów. Zagrożenie jest krytyczne, ponieważ atakujący może przejąć pełną kontrolę nad serwerem bez interakcji użytkownika.

pub. 2024-10-09
9.0
CVSS
CRITICAL
CVE-2023-32217

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.

pub. 2023-06-05
8.9
CVSS
HIGH
CVE-2024-7059

A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product line.

pub. 2024-11-05
8.8
CVSS
HIGH
CVE-2024-8014

In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.

pub. 2024-10-09
8.8
CVSS
HIGH
CVE-2024-6096

In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability.

pub. 2024-07-24
8.8
CVSS
HIGH
CVE-2024-28121

stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.

pub. 2024-03-12
8.8
CVSS
HIGH
CVE-2023-33652

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.

pub. 2023-06-06
8.8
CVSS
HIGH
CVE-2019-10174

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

pub. 2019-11-25
Pokazano 20 z 73 podatności
Informacje
ID: CWE-470
Typ: Base
Podatności: 73
MITRE CWE ↗
← Słownik CWE