Preface: In Java development, software developers will often need to read in JSON data, or provide JSON data as an output. But Java JSON Processing API is not very user friendly and doesn’t provide features for automatic transformation from Json to Java object.
Jackson technical background: Jackson is a suite of data-processing tools for Java (and the JVM platform), including the flagship streaming JSON parser / generator library, matching data-binding library (POJOs to and from JSON) and additional data format modules to process data encoded in Avro, BSON, CBOR, CSV, Smile, (Java) Properties, Protobuf, XML or YAML.
Remark: com.fasterxml.jackson.databind.ObjectMapper is the most important class in Jackson API that provides readValue() and writeValue() methods to transform JSON to Java Object and Java Object to JSON.
Vulnerabilities found on FasterXML jackson-databind:
FasterXML jackson-databind slf4j-ext Class Arbitrary Code Execution Vulnerability – A successful exploit could allow the attacker to execute arbitrary code.
FasterXML jackson-databind Blaze-ds-Opt and Blaze-ds-Core Classes Arbitrary Code Execution Vulnerability – A successful exploit could allow the attacker to execute arbitrary code.
FasterXML jackson-databind Polymorphic Deserialization External XML Entity Vulnerability – A successful exploit could allow the attacker to conduct an XXE attack, which could be used to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system.
Vendor Announcements:
https://github.com/FasterXML/jackson-databind/releases
Hi there, simply become alert to your weblog through Google, and located that it’s really informative. I’m going to be careful for brussels. I’ll be grateful should you proceed this in future. Lots of people shall be benefited from your writing. Cheers!|
We are a group of volunteers and starting a brand new scheme in our community. Your website provided us with helpful information to work on. You’ve performed an impressive process and our entire community will be grateful to you.|