Serialized objects can be altered unless they are protected using mechanisms, such as sealing and signing. (See guideline SEC16-J. Sign and seal sensitive objects before transit.) . If an attacker can alter the serialized form of the object, it becomes possible to modify the system resource that the serialized handle refers to. For example, an attacker may modify a serialized file handle to refer to an arbitrary file on the system. In the absence of a security manager, any operations that use the file handle , will be carried out using the attacker supplied file path and file name.
...
Deserializing direct handles to system resources can allow the modification of the resources being referred to.
Rule Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER10-J | high | probable | low | P18 | L1 |
...