Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:12693
HistoryJan 15, 2019 - 9:20 a.m.

Remote Code Execution (RCE)

2019-01-1509:20:28
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
9

EPSS

0.571

Percentile

97.7%

Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.

References