![]() ![]() Jackson-databind is vulnerable to Remote Code Execution (RCE). An attacker can exploit this vulnerability by submitting crafted XML which when parsed by the application leads to XXE attacks and further security issues. The parserFactory object, an instance of the DocumentBuilderFactory type in the DOMDeserializer.class file does not prevent expansion of external entities by default. ![]() The jackson-databind package is vulnerable to XML eXternal Entity Reference ('XXE') attacks. When the data contains invalid JSON, an exception is thrown, which results in the consumption of available disk space when the error message is written to server.log along with the request data. An attacker can exploit this vulnerability by crafting a POST request containing large amounts of data. The _reportInvalidToken() function in the UTF8StreamJsonParser and ReaderBasedJsonParser classes allows large amounts of extraneous data to be printed to the server log. Jackson-core is vulnerable to Denial of Service (DoS). If upgrading is not an option, disable the WRITE_BIGDECIMAL_AS_PLAIN option. By default, WRITE_BIGDECIMAL_AS_PLAIN is disabled. The application is vulnerable by using this component when WRITE_BIGDECIMAL_AS_PLAIN is explicitly enabled. ![]() This leads to an overconsumption of Java heap memory and causes DoS. The writeNumber() method in files UTF8JsonGenerator.class and WriterBasedJsonGenerator.class converts a big decimal value to its plaintext value without validating the size of the input exponent, when WRITE_BIGDECIMAL_AS_PLAIN setting is enabled. Plan to update the no vulnerability version in F version The application is vulnerable by using this component, when default typing is enabled. A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |