GobyVuls/Yun-Box_authService_fastjson_serialization_code_execution_vulnerability.md

## Yun-Box authService fastjson serialization code execution vulnerability

|   **Vulnerability**  | **Yun-Box authService fastjson serialization code execution vulnerability**  |
| :----:   | :-----|
|  **Chinese name**  | 云匣子 authService fastjson 序列化代码执行漏洞 |
| **CVSS core**  | 9.8 |
| **FOFA Query**  (click to view the results directly)| [(body=\"id=mTokenPlugin width=0 height=0 style=\\\"position: absolute;LEFT: 0px; TOP: 0px\\\"\" && body=\"type=application/x-xtx-axhost\") && (cert=\"Domain Control Validated\" \|\| cert=\"云匣子\")](https://en.fofa.info/result?qbase64=KGJvZHk9ImlkPW1Ub2tlblBsdWdpbiB3aWR0aD0wIGhlaWdodD0wIHN0eWxlPVwicG9zaXRpb246IGFic29sdXRlO0xFRlQ6IDBweDsgVE9QOiAwcHhcIiIgJiYgYm9keT0idHlwZT1hcHBsaWNhdGlvbi94LXh0eC1heGhvc3QiKSAmJiAoY2VydD0iRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIiB8fCBjZXJ0PSLkupHljKPlrZAiKQ%3D%3D) |
| **Number of assets affected**  | 620 |
| **Description**  | Yun-Box is a secure management tool developed by Yunanbao for tenants to connect to cloud resources, which can help cloud tenants manage virtual machines, databases, and other resources on the cloud in a more secure and precise manner. With years of experience in operations and security, Yun-Box combines operations and security on the cloud to achieve pre-planned operations, in-process control, and post-audit. Additionally, Yun-Box integrates features such as automated operations, asset topology discovery, and account security to provide comprehensive and reliable cloud security management services. |
| **Impact** | Yun-Box uses the vulnerable fastjson component, and hackers can launch attacks on Yun-Box by exploiting the fastjson serialization vulnerability to gain server privileges. |

![](https://s3.bmp.ovh/imgs/2023/05/23/7853202174123e25.gif)