This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:MISC:JACKSON-DATABIND-RCE
|
Severity |
Major
|
Recommended |
No
|
Category |
HTTP
|
Keywords |
Jackson Databind Deserialization Remote Code Execution
|
Release Date |
2020/04/23
|
Update Number |
3274
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: Jackson Databind Deserialization Remote Code Execution
This signature detects attempts to exploit a known vulnerability against FasterXML Jackson. A successful attack can lead to arbitrary code execution.
Extended Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Affected Products
- Debian debian_linux 8.0
- Debian debian_linux 9.0
- Fasterxml jackson 1.0.0
- Fasterxml jackson 1.1.0
- Fasterxml jackson 1.1.2
- Fasterxml jackson 1.2.0
- Fasterxml jackson 1.3
- Fasterxml jackson 1.4.0
- Fasterxml jackson 1.4.6
- Fasterxml jackson 1.5
- Fasterxml jackson 1.6
- Fasterxml jackson 1.7
- Fasterxml jackson 1.8
- Fasterxml jackson 1.9
- Fasterxml jackson-databind 2.6.0
- Fasterxml jackson-databind 2.6.1
- Fasterxml jackson-databind 2.6.2
- Fasterxml jackson-databind 2.6.3
- Fasterxml jackson-databind 2.6.4
- Fasterxml jackson-databind 2.6.5
- Fasterxml jackson-databind 2.6.6
- Fasterxml jackson-databind 2.6.7
- Fasterxml jackson-databind 2.7.0
- Fasterxml jackson-databind 2.7.1
- Fasterxml jackson-databind 2.7.1-1
- Fasterxml jackson-databind 2.7.2
- Fasterxml jackson-databind 2.7.3
- Fasterxml jackson-databind 2.7.4
- Fasterxml jackson-databind 2.7.5
- Fasterxml jackson-databind 2.7.6
- Fasterxml jackson-databind 2.7.7
- Fasterxml jackson-databind 2.7.8
- Fasterxml jackson-databind 2.7.9
- Fasterxml jackson-databind 2.8.0
- Fasterxml jackson-databind 2.8.1
- Fasterxml jackson-databind 2.8.2
- Fasterxml jackson-databind 2.8.3
- Fasterxml jackson-databind 2.8.4
- Fasterxml jackson-databind 2.8.5
- Fasterxml jackson-databind 2.8.6
- Fasterxml jackson-databind 2.8.7
- Fasterxml jackson-databind 2.8.8
- Fasterxml jackson-databind 2.8.8.1
- Redhat jboss_enterprise_application_platform 6.0.0
- Redhat jboss_enterprise_application_platform 6.4.0
- Redhat jboss_enterprise_application_platform 7.0.0
- Redhat jboss_enterprise_application_platform 7.1.0
- Redhat virtualization 4.0
- Redhat virtualization_host 4.0
References