Home

Awesome

JDK CVE-2023-21939

文章链接

This is JDK CVE-2023-21939

Use JDK version lower than 8u371

JDK + Apache XML Graphics

<dependency>
    <groupId>org.apache.xmlgraphics</groupId>
    <artifactId>batik-swing</artifactId>
    <version>1.15</version>
</dependency>

How to reproduce this RCE:

(1) Run XmlServer.java

(2) Run JarServer.java

(3) Run JarRCE.java for Test and successfully RCE

Screenshot:

JDK + Apache XML Graphics + Mozilla Rhino

<dependency>
    <groupId>org.apache.xmlgraphics</groupId>
    <artifactId>batik-swing</artifactId>
    <version>1.15</version>
</dependency>
<dependency>
    <groupId>org.mozilla</groupId>
    <artifactId>rhino</artifactId>
    <version>1.7.10</version>
</dependency>

How to reproduce this RCE:

(1) Run XmlServer.java

(2) Run JSRCE.java for Test and successfully RCE

Screenshot: