Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-24750

Опубликовано: 18 сент. 2020
Источник: redhat
CVSS3: 8.1

Описание

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and system availability.

Отчет

The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit:

  • JBoss Data Grid 7
  • Business Process Management Suite 6
  • Business Rules Management Suite 6
  • JBoss Data Virtualization 6
  • OpenShift Container Platform These products may update the jackson-databind dependency in a future release. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable
  • Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code:
  • CodeReady Studio 12.16.0
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Virtualization
  • Red Hat Satellite 6

Меры по смягчению последствий

The following conditions are needed for an exploit, we recommend avoiding all if possible:

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`
  • avoid com.pastdev.httpcomponents in the classpath

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2jackson-databindNot affected
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat build of Quarkusjackson-databindNot affected
Red Hat CodeReady Studio 12jackson-databindNot affected
Red Hat Data Grid 8jackson-databindNot affected
Red Hat Decision Manager 7jackson-databindNot affected
Red Hat Enterprise Linux 8pki-deps:10.6/jackson-databindNot affected
Red Hat Fuse 7jackson-databindNot affected
Red Hat Integration Camel K 1jackson-databindNot affected
Red Hat Integration Service Registryjackson-databindNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1882310jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-24750

CVSS3: 8.1
ubuntu
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

nvd логотип

CVE-2020-24750

CVSS3: 8.1
nvd
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

debian логотип

CVE-2020-24750

CVSS3: 8.1
debian
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...

github логотип

GHSA-qjw2-hr98-qgfh

CVSS3: 8.1
github
около 4 лет назад

Unsafe Deserialization in jackson-databind

fstec логотип

BDU:2021-00882

CVSS3: 8.1
fstec
больше 5 лет назад

Уязвимость функции в com.pastdev.httpcomponents.configuration.JndiConfiguration библиотеки Jackson-databind проекта FasterXML , позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

8.1 High

CVSS3