|
|
|
|
|
|
by lol768
2518 days ago
|
|
|
> treat reporting as gospel and don't validate Indeed, and they've been doing the same thing with projects like jackson-databind. 10s of completely meaningless CVEs issued for each new deserialization gadget that someone finds and gets added to a blacklist designed to protect a known-unsafe use-case (deserializing user input whilst defaultTyping is enabled). It causes a huge waste of resources on the blue side. |
|
|