Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
See original GitHub issueAnother gadget (*) type reported related to JNDI access. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2020-8840 Original discoverer: @threedr3am
Fixed in:
- 2.9.10.3 (
jackson-bom
version2.9.10.20200223
) - 2.8.11.5 (
jackson-bom
version2.8.11.20200210
) - 2.7.9.7
- does not affect 2.10.0 and later
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect ...
A "gadget" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this...
Read more >Twitter-এ Threat Intel Center: " NEW: CVE-2020-8840 FasterXML ...
Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) · Issue #2620 · FasterXML/jackson... Another gadget (*) type reported related to ...
Read more >CVE-2020-8840 | Vulnerability Database | Debricked
Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) · Issue #2620 · FasterXML/jackson-databind · GitHub. launch. Github.com.
Read more >Deserialization of Untrusted Data in com.fasterxml.jackson ...
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE- ...
Read more >CVE-2020-8840
Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) · Issue #2620 · FasterXML/jackson-databind · GitHub, Third Party Advisory github ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I hope to have time to do the micro-patch release this by end of the week.
@nobdy yes, thank you for pointing that out.
@GodIsDevil no plans to backport to versions prior to 2.8.x.