If you can access the classloader that's pretty bad, it's likely people will find other gadgets.
It's insane to me though that class.* isn't completely disallowed. What is the legitimate use case for deserializing allowing web requests to call setters in the reflection API?
Also, agree it is impressive to me how much bad information I've seen.
I believe accessing the `class` object here is a mistake. You can see my analysis here where I trace the POC https://news.ycombinator.com/item?id=30862953 but like you said, there are other problematic code paths for sure with this.
It's insane to me though that class.* isn't completely disallowed. What is the legitimate use case for deserializing allowing web requests to call setters in the reflection API?
Also, agree it is impressive to me how much bad information I've seen.