| Category: | Bug report |
Priority: | High |
Status: | New |
| Project: | Severity: | Major |
Resolution: | Open |
|
| Component: | Reproducibility: | Sometimes |
Assigned to: |
This is a bug in version Jasper Reports v6.20.0, introduced in with this code change: https://github.com/TIBCOSoftware/jasperreports/commit/0074da4359c0e605bb.... GH issue: https://github.com/TIBCOSoftware/jasperreports/issues/225.
VirtualizationInput was updated to call https://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html...(boolean), passing in true: "If enable is true, and there is a security manager installed, this method first calls the security manager's checkPermission method with the SerializablePermission("enableSubstitution") permission to ensure it's ok to enable the stream to allow objects read from the stream to be replaced.". From https://docs.oracle.com/javase/7/docs/api/java/io/SerializablePermission... enableSubstitution - Substitution of one object for another during serialization or deserialization - *This is dangerous because malicious code can replace the actual object with one which has incorrect or malignant data.*
To reproduce, enable JR virtualization in an environment with the SecurityManager enabled and without ObjectStreamConstants.SUBSTITUTION_PERMISSION permission granted, run a jasper report that uses virtualization.
