Vulnerability

CVE-2020-9548

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502

References

https://github.com/FasterXML/jackson-databind/issues/2634
https://blog.sonatype.com/jackson-databind-remote-code-execution
https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9548

[CVE-2020-9548] CWE-502: Deserialization of Untrusted Data

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

See com.fasterxml.jackson.core/jackson-databind package information