Awesome
JDK CVE-2023-21939
This is JDK CVE-2023-21939
Use JDK version lower than 8u371
JDK + Apache XML Graphics
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
<artifactId>batik-swing</artifactId>
<version>1.15</version>
</dependency>
How to reproduce this RCE:
(1) Run XmlServer.java
(2) Run JarServer.java
(3) Run JarRCE.java for Test and successfully RCE
Screenshot:
JDK + Apache XML Graphics + Mozilla Rhino
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
<artifactId>batik-swing</artifactId>
<version>1.15</version>
</dependency>
<dependency>
<groupId>org.mozilla</groupId>
<artifactId>rhino</artifactId>
<version>1.7.10</version>
</dependency>
How to reproduce this RCE:
(1) Run XmlServer.java
(2) Run JSRCE.java for Test and successfully RCE
Screenshot: