Jooby Web Framework Pac4j Module Untrusted Data Deserialization Vulnerability

A vulnerability exists in the Jooby web framework's Pac4j module, specifically in versions 2.16.4 prior to 2.17.0 and 3.6.1 prior to 3.7.0. The issue arises in the SessionStoreImpl#get method, where untrusted data can be deserialized, potentially leading to security risks. This vulnerability is particularly concerning when using indirect clients, as it allows for the manipulation of session data in a way that could be exploited.

Impact

Exploitation of this vulnerability allows for the deserialization of untrusted data, which can lead to various security issues depending on the context of the deserialized data.

Reproduction

The vulnerability can be reproduced by using a version of the Jooby web framework that includes the Pac4j module, specifically in the affected version ranges. After setting a session value with a key that is then retrieved using the SessionStoreImpl#get method, the deserialization vulnerability is triggered. This can be automated with a test that simulates the session data manipulation, such as the provided Issue3633.java test case.

Remediation

Users can update to Jooby versions 2.17.0 or 3.7.0 to address this vulnerability. Additionally, it is recommended to review and sanitize session data before saving it.