In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-09-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
What this article shares with you is an example analysis of multiple deserialization security vulnerabilities in Jackson. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.
Brief introduction of 0x01 vulnerability
On August 27th, 2020, 360CERT Monitoring found that jackson-databind issued a risk notice for the jackson-databind serialized vulnerability, the vulnerability number is CVE-2020-24616, vulnerability level: high risk, vulnerability score: 7.5.
There is a new deserialization utilization chain in br.com.anteros:Anteros-DBCP that can bypass the jackson-databind blacklist restriction, and remote attackers can cause remote code execution impact by sending a specially crafted request packet to the web service interface that uses the component.
In this regard, 360CERT recommends that the majority of users upgrade jackson-databind to the latest version in time. At the same time, please do a good job of asset self-examination and prevention to avoid hacker attacks.
0x02 risk rating
360CERT's assessment of the vulnerability is as follows
Assessment methods, threat levels, high risk impact surfaces, limited 360CERT scores, 7.50x03 vulnerability details CVE-2020-24616: jackson-databind deserialization vulnerability
There is a new deserialization utilization chain in br.com.anteros:Anteros-DBCP that can bypass the jackson-databind blacklist restriction, and remote attackers can cause remote code execution impact by sending a specially crafted request packet to the web service interface that uses the component.
Jackson-databind Release 2.9.10.6
The following utilization chains have also been fixed in this release
-org.arrahtec:profiler-core
-com.nqadmin.rowset:jdbcrowsetimpl
-com.pastdev.httpcomponents:configuration
There is a new deserialization utilization chain in the above package that can bypass the jackson-databind blacklist restriction, and remote attackers can affect remote code execution by sending a specially crafted request packet to the web service interface that uses the component.
0x04 affects version
-fasterxml:jackson-databind:
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
The market share of Chrome browser on the desktop has exceeded 70%, and users are complaining about
The world's first 2nm mobile chip: Samsung Exynos 2600 is ready for mass production.According to a r
A US federal judge has ruled that Google can keep its Chrome browser, but it will be prohibited from
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
About us Contact us Product review car news thenatureplanet
More Form oMedia: AutoTimes. Bestcoffee. SL News. Jarebook. Coffee Hunters. Sundaily. Modezone. NNB. Coffee. Game News. FrontStreet. GGAMEN
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
