On August 25, 2020, Jackson-databind issued a risk notice for Jackson-databind serialization vulnerability, the vulnerability number is CVE-2020-24616, vulnerability level is a high risk, vulnerability score is 7.5.
There is a new deserialization exploit chain in br.com.anteros:Anteros-DBCP library, which can bypass Jackson-databind blacklist restrictions. Remote attackers can cause remote codes by sending specially crafted request packets to the web service interface that uses this component.
FasterXML Jackson-databind 2.x before 126.96.36.199 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
In this version, the following exploit chains are also fixed
In this regard, we recommend that users upgrade Jackson-databind to the latest version in time.