Jackson-databind

Jackson-databind Remote Code Execution Vulnerability (CVE-2020-8840) Threat Alert

March 9, 2020

 

Vulnerability Description

On February 19, National Vulnerability Database (NVD) disclosed a remote code execution vulnerability (CVE-2020-8840) that resulted from JNDI injection in jackson-databind and assigned a CVSS score of 9.8. Affected versions of jackson-databind lack certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. An attacker could exploit this vulnerability to cause remote code execution via JNDI injection. Currently, the vendor has released new versions to fix this vulnerability. Affected users are advised to update their installation to the latest versions as soon as possible. (more…)

Jackson-databind Remote Code Execution Vulnerability Technical Analysis

August 7, 2019

  1. Vulnerability Overview

On June 21, Red Hat officially released a security bulletin to announce the fix for a vulnerability in jackson-dababind. This vulnerability with a CVSS score of 8.1 affects multiple Red Hat products and a sophisticated exploit using this vulnerability is observed in the wild. On July 22, a security researcher named Andrea Brancaleoni published an article to analyze this vulnerability. (more…)

Jackson-databind Remote Code Execution Vulnerability (CVE-2019-12384) Threat Alert

August 6, 2019

Overview

Recently, a security researcher discovered a vulnerability (CVE-2019-12384) in jackson-databind, noting that when certain conditions are met, an attacker, via a malicious request, could bypass the blacklist restriction and remotely execute code in an affected server during deserialization. (more…)