Deserialization of Untrusted Data

Affecting com.fasterxml.jackson.core:jackson-databind artifact, versions [2.0.0, 2.9.10.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.1 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Zhangxianhui
CVE
CVE-2019-17531
CWE
CWE-502
Snyk ID
SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980
Disclosed
12 Oct, 2019
Published
13 Oct, 2019