CVE-2020-10650
Unsafe Deserialization vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2020-10650 About?
This Unsafe Deserialization vulnerability in `com.fasterxml.jackson.core:jackson-databind` (before 2.9.10.4) allows attackers to trigger arbitrary behavior due to mishandling of specific class interactions, such as `ignite-jta`. Such vulnerabilities can lead to arbitrary code execution, and exploitation complexity is moderate, relying on the presence of specific libraries on the classpath.
Affected Software
Technical Details
The vulnerability in `com.fasterxml.jackson.core:jackson-databind` library arises from insecure deserialization practices. Specifically, when handling interactions related to the `ignite-jta` class, a malicious serialized object can be crafted to exploit the deserialization process. This typically involves using a gadget chain where the deserialization of the `ignite-jta` class, or objects that contain it, can lead to the invocation of dangerous methods. These invocations, being part of the deserialization flow, bypass normal application logic and can result in arbitrary code execution, manipulation of application state, or other harmful actions, without requiring specific user authentication if the deserialization endpoint is exposed.
What is the Impact of CVE-2020-10650?
Successful exploitation may allow attackers to execute arbitrary code, modify data, achieve denial of service, or perform remote code execution.
What is the Exploitability of CVE-2020-10650?
Exploitation of this vulnerability typically involves sending a specially crafted input capable of triggering the unsafe deserialization behavior to the application. The complexity is moderate, as it requires knowledge of available gadget classes (like `ignite-jta`) and their methods. No authentication is necessary if the deserialization endpoint is publicly accessible. This is a remote attack. Privilege requirements are generally those of the vulnerable application's process. A critical condition for exploitation is the `ignite-jta` class being present on the application's classpath. The likelihood of exploitation increases in applications that deserialize untrusted data without implementing strict type validation or whitelisting deserialized objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10650?
About the Fix from Resolved Security
This patch adds several dangerous classes to a deny list that prevents them from being deserialized using Jackson. It mitigates CVE-2020-10650 by blocking deserialization of classes that could be used to perform remote JNDI lookups and enable remote code execution, thereby preventing this security risk.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20230818-0007/
- https://osv.dev/vulnerability/GHSA-rpr3-cw39-3pxh
- https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
- https://github.com/FasterXML/jackson-databind/issues/2658
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
- https://github.com/luisgarciacheckmarx/LGV_onefile/issues/19
- https://nvd.nist.gov/vuln/detail/CVE-2020-10650
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
What are Similar Vulnerabilities to CVE-2020-10650?
Similar Vulnerabilities: CVE-2020-14195 , CVE-2020-11112 , CVE-2020-14060 , CVE-2019-14540 , CVE-2018-7489
