Preface: In Java development, software developers will often need to read in JSON data, or provide JSON data as an output. But Java JSON Processing API is not very user friendly and doesn’t provide features for automatic transformation from Json to Java object.

Jackson technical background: Jackson is a suite of data-processing tools for Java (and the JVM platform), including the flagship streaming JSON parser / generator library, matching data-binding library (POJOs to and from JSON) and additional data format modules to process data encoded in Avro, BSON, CBOR, CSV, Smile, (Java) Properties, Protobuf, XML or YAML.

Remark: com.fasterxml.jackson.databind.ObjectMapper is the most important class in Jackson API that provides readValue() and writeValue() methods to transform JSON to Java Object and Java Object to JSON.

Vulnerabilities found on FasterXML jackson-databind:

FasterXML jackson-databind slf4j-ext Class Arbitrary Code Execution Vulnerability – A successful exploit could allow the attacker to execute arbitrary code.

FasterXML jackson-databind Blaze-ds-Opt and Blaze-ds-Core Classes Arbitrary Code Execution Vulnerability – A successful exploit could allow the attacker to execute arbitrary code.

FasterXML jackson-databind Polymorphic Deserialization External XML Entity Vulnerability – A successful exploit could allow the attacker to conduct an XXE attack, which could be used to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system.

Vendor Announcements:
https://github.com/FasterXML/jackson-databind/releases