General data-binding functionality for Jackson: works on core streaming API
Language
JAVA
Vulnerability
Deserialization Of Untrusted Data
Vulnerability description
jackson-databind is vulnerable to deserialization of untrusted data. A Polymorphic Typing issue existed in the library as DefaultTransactionManagerLookup and JNDIConnectionSource was missing from the validator function.. This only occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and it can potentially lead to remote code execution.
Veracode Software Composition Analysis
DefaultTransactionManagerLookup
andJNDIConnectionSource
was missing from the validator function.. This only occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and it can potentially lead to remote code execution.Links: