You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Package Name: com.fasterxml.jackson.core:jackson-databind Package Version: ['2.6.5'] Package Manager: maven Target File: todolist-goof/todolist-web-common/pom.xml Severity Level: high Snyk ID: SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448 Snyk CVE: CVE-2018-14718 Snyk CWE: CWE-502 Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/af52ff7a-35a1-444b-9d04-2a7b33382328
Snyk Description: ## Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the slf4j-ext gadget due to an incomplete fix for the CVE-2017-7525 deserialization flaw.
Note: This vulnerability (CVE-2018-14718) is not identical to CVE-2018-12019, CVE-2018-14720, CVE-2018-14721, CVE-2018-14722,CVE-2018-12023 and CVE-2018-11307.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.
com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.
Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:
1. The target application allowing JSON user input which is processed by jackson-databind
An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.
2. Polymorphic type handling for properties with nominal type are enabled
Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.
3. An exploitable gadget class is available for the attacker to leverage
Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.
Package Name: com.fasterxml.jackson.core:jackson-databind
Package Version: ['2.6.5']
Package Manager: maven
Target File: todolist-goof/todolist-web-common/pom.xml
Severity Level: high
Snyk ID: SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448
Snyk CVE: CVE-2018-14718
Snyk CWE: CWE-502
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/af52ff7a-35a1-444b-9d04-2a7b33382328
Snyk Description: ## Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the
slf4j-ext
gadget due to an incomplete fix for the CVE-2017-7525 deserialization flaw.Note: This vulnerability (
CVE-2018-14718
) is not identical toCVE-2018-12019
,CVE-2018-14720
,CVE-2018-14721
,CVE-2018-14722
,CVE-2018-12023
andCVE-2018-11307
.Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.
com.fasterxml.jackson.core:jackson-databind
allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.Exploitation of unsafe deserialization attacks through
jackson-databind
requires the following prerequisites:1. The target application allowing JSON user input which is processed by jackson-databind
An application using
jackson-databind
is only vulnerable if a user-provided JSON data is deserialized.2. Polymorphic type handling for properties with nominal type are enabled
Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.
3. An exploitable gadget class is available for the attacker to leverage
Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by
jackson-databind
. The maintainers ofjackson-databind
proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.Further reading:
Remediation
Upgrade
com.fasterxml.jackson.core:jackson-databind
to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.References
The text was updated successfully, but these errors were encountered: