Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script Deserialization Vulnerability Leading to Arbitrary Code Execution

A critical vulnerability allowing arbitrary code execution has been identified in Shenzhen Dashi Tongzhou Information Technology AgileBPM versions through 2.5.0. The issue arises in the Groovy Script Handler component, specifically within the 'executeScript' function of the SysScriptController.java file. The vulnerability is caused by improper validation of the 'script' parameter, which allows for deserialization of untrusted data. This flaw can be exploited remotely, giving attackers the ability to execute arbitrary Groovy scripts and potentially gain full control over the affected server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the application, potentially leading to full system compromise.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/ab-bpm/sys/script/executeScript' endpoint. The 'script' parameter can be manipulated to include arbitrary Groovy code, which will be executed on the server. This can be done after logging into the application and obtaining a valid authorization token.