CVE request: Kryo (Java serialization API)

[Arshan Dabirsiaghi <arshan.dabirsiaghi () contrastsecurity com>]

The Kryo serialization API (https://github.com/EsotericSoftware/kryo)
doesn¹t enforce whitelisting by default, and thus allows side effects from
constructors and finalizer methods in attacker-chosen types when
deserializing. With the right gadgets available on the classpath, these
side effects could lead to DoS, memory corruption, and possibly RCE.

https://www.contrastsecurity.com/security-influencers/serialization-must-di
e-act-1-kryo
https://github.com/EsotericSoftware/kryo/issues/398

Thanks,
--

Arshan Dabirsiaghi | Chief Scientist
Contrast Security, Inc. <http://www.contrastsecurity.com/>