Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which upon deserialization, can yield objects that the attacker does not have permissions to construct. Construction of a custom class loader is an example (See SEC07-J. Do not allow the unauthorized construction of sensitive classes existing in untrusted packages).

Noncompliant Code Example

...