One of our contributors told me that this breach is related to a serialized object that Mnemonic has tried to avoid as below
"However, “for either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax. In one case, an OGNL expression. In the other, a serialized object,” he said in comments emailed to SC Media. “The Equifax Struts application would receive this request, and get tricked into executing operating system commands.” The attacker can then “use these to take over the entire box – do anything the application can do,” Williams said. “So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”" https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/ IMHO, from the technical view point, Mnemonic has nothing about how to interact with UI layer. Theoretically, Mnemonic's linked durable objects could be transferred between different layers to avoid SerDe, user code makes use of those durable object for their own business logics. Regarding the Durable Query Model (DQM), it has not yet been fully implemented, we need to consider any possible injection and provide the proper measure to prevent potential breaches. Thanks!
