#VU46305 Code Injection in jackson-databind
Vulnerability identifier: #VU46305
Vulnerability risk: High
CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-94
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
jackson-databind
Universal components / Libraries /
Libraries used by multiple products
Vendor: FasterXML
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Mitigation
Install update from vendor's website.
Vulnerable software versions
jackson-databind: 2.0.0 - 2.0.6, 2.1.0 - 2.1.5, 2.2.0 - 2.2.4, 2.3.0 - 2.3.5, 2.4.0 - 2.4.6.1, 2.5.0 - 2.5.5, 2.6.0 - 2.6.8, 2.7.0 - 2.7.9.7, 2.8.0 - 2.8.11.6, 2.9.0 - 2.9.10.5
External links
http://github.com/FasterXML/jackson-databind/issues/2814
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://security.netapp.com/advisory/ntap-20200904-0006/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
