Lucene search

K
redhatcveRedhat.comRH:CVE-2017-7525
HistoryApr 04, 2020 - 5:14 a.m.

CVE-2017-7525

2020-04-0405:14:31
redhat.com
access.redhat.com
31

EPSS

0.571

Percentile

97.7%

A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Mitigation

Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to <https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true&gt;