Jackson Databind's Latest Deserialization Remote Code Execution Vulnerability (CVE-2020-24750)
Sep 27, 2020 GMT+08:00
It is recently disclosed that jackson-databind has a new deserialization remote code execution vulnerability (CVE-2020-24750). This vulnerability is caused by the insecure deserialization of the com.pastdev.httpcomponents:configuration library. Attackers can exploit this vulnerability to remotely execute code.
If you are a jackson-databind user, check your service and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
jackson-databind versions earlier than 188.8.131.52
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.