General data-binding functionality for Jackson: works on core streaming API
Language
JAVA
Vulnerability
Remote Code Execution (RCE)
Vulnerability description
jackson-databind is vulnerable to remote code execution (RCE) attacks. Due to an incomplete fix for CVE-2017-7525, attackers can still send malicious code through JSON. The blacklist that was implemented, didn't take into account the c3p0 gadgets available in the classpath.In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.
Veracode Software Composition Analysis
CVE-2017-7525
, attackers can still send malicious code through JSON. The blacklist that was implemented, didn't take into account thec3p0
gadgets available in the classpath.In order to be vulnerable to this attack, either the use of@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
or@JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)
or a call toObjectMapper.enableDefaultTyping(...)
is needed.Links: