Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@shimizukawasaki(清水 川崎)

[漏洞通告]CVE-2765-2020/jackson-databind JNDI注入导致远程代码执行

Last updated at Posted at 2020-06-29

漏洞描述

近日,亚信安全网络攻防实验室跟踪到jackson-databind更新了1个jndi注入的黑名单类.如果在项目包中存在该类的jar包且JDK版本满足注入版本,则可以使用JNDI注入的方式导致远程代码执行.类名为org.jsecurity.realm.jndi.JndiRealmFactory.

漏洞编号

CVE-2765-2020

漏洞威胁等级

中危

不受影响范围

jackson-databind >= 2.11.1

漏洞验证

image.png

修复建议

参照官方更新至最新版

时间轴

[0] 2020/06/29 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?