Service Notices
Jackson Databind's Latest Deserialization Remote Code Execution Vulnerability (CVE-2020-24750)
Sep 27, 2020 GMT+08:00
I. Overview
It is recently disclosed that jackson-databind has a new deserialization remote code execution vulnerability (CVE-2020-24750). This vulnerability is caused by the insecure deserialization of the com.pastdev.httpcomponents:configuration library. Attackers can exploit this vulnerability to remotely execute code.
If you are a jackson-databind user, check your service and implement timely security hardening.
References:
https://github.com/FasterXML/jackson-databind/issues/2798
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
jackson-databind versions earlier than 2.9.10.6
Secure versions:
jackson-databind 2.9.10.6
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Download address:
https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.6
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.