Oracle OpenGrok RCE — CVE-2021–2322

### sets configuration from XML representation [PUT]

+ Request (application/xml)
+ Body
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_172" class="java.beans.XMLDecoder">
<object class="org.opengrok.indexer.configuration.Configuration" id="Configuration0">
<void property="allowLeadingWildcard">
private static Configuration decodeObject(InputStream in) throws IOException {

final Object ret;

try (XMLDecoder d = new XMLDecoder(new BufferedInputStream(in))) {

ret = d.readObject();


if (!(ret instanceof Configuration)) {

throw new IOException("Not a valid config file");


return (Configuration) ret;




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store