CVE-2020-24616: Jackson Deserialization Security Vulnerabilities Alert

On August 25, 2020, Jackson-databind issued a risk notice for Jackson-databind serialization vulnerability, the vulnerability number is CVE-2020-24616, vulnerability level is a high risk, vulnerability score is 7.5.
There is a new deserialization exploit chain in br.com.anteros:Anteros-DBCP library, which can bypass Jackson-databind blacklist restrictions. Remote attackers can cause remote codes by sending specially crafted request packets to the web service interface that uses this component.
CVE-2020-24616

Vulnerability Detail

FasterXML Jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Affected version

  • fasterxml:jackson-databind: <2.9.10.6

Unaffected version

  • fasterxml:jackson-databind: 2.9.10.6
In this version, the following exploit chains are also fixed
  • org.arrahtec:profiler-core
  • com.nqadmin.rowset:jdbcrowsetimpl
  • com.pastdev.httpcomponents:configuration

Solution

In this regard, we recommend that users upgrade Jackson-databind to the latest version in time.