yusicheng created IOTDB-5482: -------------------------------- Summary: Unsafe deserialize map in Sync Tool Key: IOTDB-5482 URL: https://issues.apache.org/jira/browse/IOTDB-5482 Project: Apache IoTDB Issue Type: Bug Affects Versions: 0.13.3, 0.13.3-SNAPSHOT Reporter: yusicheng Assignee: yusicheng Fix For: 0.13.4-SNAPSHOT
deviceOwnerMap = (Map<String, String>) deviceOwnerInput.readObject(); The owner file will converted into a Map object. in this deserialization process, a dangerous function readObject is used. If device_Owner is a malicious file, it would cause executing arbitrary code issue in the target database. -- This message was sent by Atlassian Jira (v8.20.10#820010)