Jackson-databind Remote Code Execution Vulnerability (CVE-2020-8840) Threat Alert
março 9, 2020
Vulnerability Description
On February 19, National Vulnerability Database (NVD) disclosed a remote code execution vulnerability (CVE-2020-8840) that resulted from JNDI injection in jackson-databind and assigned a CVSS score of 9.8. Affected versions of jackson-databind lack certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. An attacker could exploit this vulnerability to cause remote code execution via JNDI injection. Currently, the vendor has released new versions to fix this vulnerability. Affected users are advised to update their installation to the latest versions as soon as possible. (mais…)
Jackson-databind Remote Code Execution Vulnerability Technical Analysis
agosto 7, 2019
On June 21, Red Hat officially released a security bulletin to announce the fix for a vulnerability in jackson-dababind. This vulnerability with a CVSS score of 8.1 affects multiple Red Hat products and a sophisticated exploit using this vulnerability is observed in the wild. On July 22, a security researcher named Andrea Brancaleoni published an article to analyze this vulnerability. (mais…)
Jackson-databind Remote Code Execution Vulnerability (CVE-2019-12384) Threat Alert
agosto 6, 2019
Overview
Recently, a security researcher discovered a vulnerability (CVE-2019-12384) in jackson-databind, noting that when certain conditions are met, an attacker, via a malicious request, could bypass the blacklist restriction and remotely execute code in an affected server during deserialization. (mais…)