中危 jackson-databind mishandles the interaction between serialization gadgets and typing

CVE编号

CVE-2020-9546

利用情况

暂无

补丁情况

没有补丁

披露时间

2020-03-02

漏洞描述

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

解决建议

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://github.com/FasterXML/jackson-databind/issues/2631

参考链接
https://github.com/FasterXML/jackson-databind/issues/2631
https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a2...
https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f...
https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a8896...
https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a79193...
https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05c...
https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a...
https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e...
https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e93380...
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52...
https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-yo...
https://security.netapp.com/advisory/ntap-20200904-0006/
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	fasterxml	jackson-databind	*	From (including) 2.0.0	Up to (excluding) 2.9.10.4

阿里云评分 6.9

• 攻击路径 远程
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 全局影响
• EXP成熟度 未验证
• 补丁情况 没有补丁
• 数据保密性 数据泄露
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 N/A

CWE-ID	漏洞类型
CWE-502	可信数据的反序列化

Exp相关链接

- avd.aliyun.com