General data-binding functionality for Jackson: works on core streaming API
Language
JAVA
Vulnerability
Remote Code Execution (RCE)
Vulnerability description
Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path.
In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.
CVE | 2017-17485
CVSS score | 7.5
Vulnerability present in version/s | 2.0.0-RC1-2.7.9.1
Found library version/s | 2.4.2
Vulnerability fixed in version | 2.7.9.2
Library latest version | 2.16.1
Fix |
Veracode Software Composition Analysis
CVE-2017-7525
to bypass the blacklist when Spring libraries are available on the class path.In order to be vulnerable to this attack, either the use of
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
or@JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)
or a call toObjectMapper.enableDefaultTyping(...)
is needed.CVE | 2017-17485
CVSS score | 7.5
Vulnerability present in version/s | 2.0.0-RC1-2.7.9.1
Found library version/s | 2.4.2
Vulnerability fixed in version | 2.7.9.2
Library latest version | 2.16.1
Fix |
Links: