LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@shimizukawasaki(清水 川崎)

[漏洞通告]jackson-2704/jackson-databind JNDI注入导致远程代码执行

Posted at

漏洞描述

近日,亚信安全网络攻防实验室跟踪到jackson-databind更新了1个jndi注入的黑名单类(并未在发行的最新版中加入).如果在项目包中存在该类的jar包且JDK版本满足注入版本,则可以使用JNDI注入的方式导致远程代码执行.类名为com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool.

漏洞编号

Jackson内部编号2704

漏洞威胁等级

中危

受影响范围

全版本

漏洞验证

image.png

修复建议

参照官方更新至最新版

时间轴

[0] 2020/05/14 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

https://github.com/FasterXML/jackson-databind/issues/2704
https://github.com/FasterXML/jackson-databind/releases

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?