sofastack CVE Vulnerabilities & CVE List (2)

Products (CPE): — CVEs: 2

sofastack vulnerability overview

This page aggregates publicly disclosed CVE and security risk information related to sofastack, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.

Vulnerability distribution trend (last 24 months)

Showing 12 of 2 CVEs
«« First « Prev Page 1 / 1 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2024-23636 SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue [email protected] 9.8 0.80% 2024-01-23 2026-06-17
CVE-2023-41331 SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to constr [email protected] 9.8 1.34% 2023-09-12 2026-06-17
«« First « Prev Page 1 / 1 Next »
cvelogic Threat Intelligence