Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.datadoghq/dd-java-agent@1.40.2
Typemaven
Namespacecom.datadoghq
Namedd-java-agent
Version1.40.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.60.3
Latest_non_vulnerable_version1.60.3
Affected_by_vulnerabilities
0
url VCID-by16-x54c-43cd
vulnerability_id VCID-by16-x54c-43cd
summary 
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable
3. A gadget-chain-compatible library is present on the classpath

### Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

### Recommendation
- For JDK >= 17: No action is required, but upgrading is strongly encouraged.
- For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
- For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.

### Workarounds
Set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`

### Credits
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33728
reference_id
reference_type
scores
0
value 0.00207
scoring_system epss
scoring_elements 0.43003
published_at 2026-06-09T12:55:00Z
1
value 0.00207
scoring_system epss
scoring_elements 0.43041
published_at 2026-06-05T12:55:00Z
2
value 0.00207
scoring_system epss
scoring_elements 0.43048
published_at 2026-06-06T12:55:00Z
3
value 0.00207
scoring_system epss
scoring_elements 0.43028
published_at 2026-06-07T12:55:00Z
4
value 0.00207
scoring_system epss
scoring_elements 0.42993
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33728
1
reference_url https://github.com/DataDog/dd-trace-java
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/DataDog/dd-trace-java
2
reference_url https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-27T19:57:15Z/
url https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3
3
reference_url https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-27T19:57:15Z/
url https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33728
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33728
5
reference_url https://github.com/advisories/GHSA-579q-h82j-r5v2
reference_id GHSA-579q-h82j-r5v2
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-579q-h82j-r5v2
fixed_packages
0
url pkg:maven/com.datadoghq/dd-java-agent@1.60.3
purl pkg:maven/com.datadoghq/dd-java-agent@1.60.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.datadoghq/dd-java-agent@1.60.3
aliases CVE-2026-33728, GHSA-579q-h82j-r5v2
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-by16-x54c-43cd
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.datadoghq/dd-java-agent@1.40.2