CVE-2020-10968

2021-07-18T02:01:14
ID RH:CVE-2020-10968
Type redhatcve
Reporter redhat.com
Modified 2021-08-22T13:43:11

Description

A flaw was found in jackson-databind 2.x prior to version 2.9.10.4. The interaction between serialization gadgets and typing is mishandled in the bus-proxy. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Mitigation

The following conditions are needed for an exploit, we recommend avoiding all if possible
Deserialization from sources you do not control
enableDefaultTyping()
* @JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`