{
  "threat_severity" : "Important",
  "public_date" : "2022-06-10T00:00:00Z",
  "bugzilla" : {
    "description" : "fastjson: autoType shutdown restriction bypass leads to deserialization",
    "id" : "2100654",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2100654"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).", "A flaw was found in com.alibaba:fastjson, a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "fastjson"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "fastjson",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "fastjson",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat Integration Data Virtualisation Operator",
    "fix_state" : "Out of support scope",
    "package_name" : "fastjson",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "fastjson",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-25845\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25845\nhttps://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222" ],
  "name" : "CVE-2022-25845",
  "mitigation" : {
    "value" : "Users who can not upgrade to the fixed version may enable safeMode; this completely disables the autoType function and eliminates the vulnerability risk. [https://github.com/alibaba/fastjson/wiki/fastjson_safemode]",
    "lang" : "en:us"
  },
  "csaw" : false
}