Jackson Databind's Latest Deserialization Remote Code Execution Vulnerability (CVE-2020-24750)

Sep 27, 2020 GMT+08:00

I. Overview

It is recently disclosed that jackson-databind has a new deserialization remote code execution vulnerability (CVE-2020-24750). This vulnerability is caused by the insecure deserialization of the com.pastdev.httpcomponents:configuration library. Attackers can exploit this vulnerability to remotely execute code.

If you are a jackson-databind user, check your service and implement timely security hardening.

References:

https://github.com/FasterXML/jackson-databind/issues/2798

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

jackson-databind versions earlier than 2.9.10.6

Secure versions:

jackson-databind 2.9.10.6

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address:

https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.6

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.