CVE-2020-24164

EUVD-2022-1116
A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
taoenssonippy
𝑥
< 2.14.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ptaoussanis/nippy/issues/130
https://github.com/ptaoussanis/nippy/issues/130