Free Trial
Under attack ?

Apache ShardingSphere(incubator) deserialization vulnerability

Overview :

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere’s web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.

Affected Product(s) :

  • ShardingSphere 4.0.0-RC3, 4.0.0

Solution :

Mitigation: 4.0.0-RC3 and 4.0.0 users should upgrade to 4.0.1

Example: An attacker can use untrusted data to fill in the DataSource Config after login the sharding-ui.

Credit: This issue was discovered by WuXiong of QI`ANXIN YUNYING Labs.

References:

https://shardingsphere.apache.org/community/en/security/

Facebook
Twitter
LinkedIn
Linkedin X-twitter Facebook-f Youtube

Recent Blog Posts

Best Tools to Identify Broken Access Control in APIs
Top Made-in-India Enterprise Cybersecurity Solutions (2025 Guide)
How to Choose the Right Cloud WAF for Your Business in 2025
Top 10 Cybersecurity Companies in India - 2025 Edition
Top 10 Network Security Solutions for 2025

WAF Solution

Recent Case Studies

Government Institution Fortifies Data Defenses with Prophaze

Government Institution Fortifies Data Defenses with Prophaze

December 14, 2023
Prophaze's WAF Redefines Aerospace Security Standards

Prophaze’s WAF Redefines Aerospace Security Standards

December 14, 2023
Industrial IoT Breach mitigated by Prophaze

Industrial IoT Breach Mitigated by Prophaze

December 14, 2023

Recent Press Releases

Indo Pak Cyber Attacks

India Cyber Attack: 85 Million Malicious Requests Blocked by Prophaze

May 20, 2025
Intel Prophaze Partnership

Intel’s 4th Gen Processors Power Prophaze’s New Era of Smarter, Faster Security

January 23, 2025

PrivaPlan Partners with Prophaze to Set New Era in Data Security and Compliance

January 15, 2025