yusicheng created IOTDB-5482:
--------------------------------
Summary: Unsafe deserialize map in Sync Tool
Key: IOTDB-5482
URL: https://issues.apache.org/jira/browse/IOTDB-5482
Project: Apache IoTDB
Issue Type: Bug
Affects Versions: 0.13.3, 0.13.3-SNAPSHOT
Reporter: yusicheng
Assignee: yusicheng
Fix For: 0.13.4-SNAPSHOT
deviceOwnerMap = (Map<String, String>) deviceOwnerInput.readObject();
The owner file will converted into a Map object. in this
deserialization process, a dangerous function readObject is used.
If device_Owner is a malicious file, it would cause executing
arbitrary code issue in the target database.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
