CVE-2020-11619
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2020-11619 About?
This vulnerability affects FasterXML jackson-databind, arising from an improper interaction between serialization gadgets and typing during deserialization. It can lead to remote code execution if a vulnerable gadget chain is present in the classpath. Exploitation typically involves sending specially crafted serialized data and is moderately complex.
Affected Software
Technical Details
FasterXML jackson-databind 2.x before 2.9.10.4 is vulnerable due to how it handles the interaction between serialization gadgets and typing, specifically involving org.springframework.aop.config.MethodLocatingFactoryBean (from spring-aop). When jackson-databind deserializes untrusted input, if specific 'gadget classes' are available in the application's classpath, an attacker can craft a malicious JSON payload. This payload, when deserialized, will instantiate and invoke methods on these gadget classes in an unintended way, leading to arbitrary code execution or other destructive actions, bypassing type checks and security configurations.
What is the Impact of CVE-2020-11619?
Successful exploitation may allow attackers to execute arbitrary code on the server, compromise data integrity, or achieve full system compromise.
What is the Exploitability of CVE-2020-11619?
Exploitation of this deserialization vulnerability requires the attacker to send specially crafted serialized data to an application endpoint that deserializes untrusted input using affected versions of jackson-databind. The complexity is moderate, as it requires knowledge of available gadget classes on the classpath. There are generally no authentication or privilege requirements for initiating the attack, as it often targets publicly accessible endpoints. The attack is remote. The likelihood of exploitation increases when the application serializes/deserializes arbitrary user input and contains vulnerable gadget classes in its classpath, especially common libraries like Spring.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-11619?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/FasterXML/jackson-databind/issues/2680
- https://nvd.nist.gov/vuln/detail/CVE-2020-11619
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200511-0004
- https://security.netapp.com/advisory/ntap-20200511-0004/
What are Similar Vulnerabilities to CVE-2020-11619?
Similar Vulnerabilities: CVE-2019-12384 , CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2020-9548
