On August 25, 2020, Jackson-databind
issued a risk notice for Jackson-databind serialization vulnerability, the
vulnerability number is CVE-2020-24616, vulnerability level is a high risk, vulnerability score is 7.5.
There is a new deserialization exploit chain in br.com.anteros:Anteros-DBCP library, which can bypass Jackson-databind blacklist restrictions. Remote attackers can cause remote codes by sending specially crafted request packets to the web service interface that uses this component.
Vulnerability Detail
FasterXML Jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Affected version
- fasterxml:jackson-databind: <2.9.10.6
Unaffected version
- fasterxml:jackson-databind: 2.9.10.6
In this version, the following exploit chains are also fixed
- org.arrahtec:profiler-core
- com.nqadmin.rowset:jdbcrowsetimpl
- com.pastdev.httpcomponents:configuration
Solution
In this regard, we recommend that users upgrade Jackson-databind to the latest version in time.