Fasterxml | Jackson ¶à¸ö·´ÐòÁл¯Îó²î

Ðû²¼Ê±¼ä 2020-08-27

0x00 Îó²î¸ÅÊö


񅧏

issue:2798¡¢issue:2814¡¢issue:2826¡¢issue:2827

ʱ¼ä

2020-08-27

ÀàÐÍ


µÈ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

jackson-databind < 2.9.10.6


FasterxmlÖ÷ÒªÓÃÓÚJava ƽ̨µÄÊý¾ÝÆÊÎö¡£¡£¡£¡£¡£¡£jackson-databindÊÇFasterXMLÏîĿϵÄJSON¿â¡£¡£¡£¡£¡£¡£


Fasterxml jackson-databind 2.9.10.6֮ǰµÄ°æ±¾Öб£´æ¶à¸ö·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬¹¥»÷Õß¿Éͨ¹ýÈ«ÐĽṹµÄpayloadÔÚϵͳÉÏÖ´ÐжñÒâ´úÂ룬£¬£¬£¬£¬JacksonÊÇSpringBootÖÐÊ×Ñ¡ºÍĬÈϵÄת»»¹¤¾ß¡£¡£¡£¡£¡£¡£


0x01 Îó²îÏêÇé

   

ͼƬ1.png


issue:2798

¸ÃÎÊÌâÊÇÓÉÓÚcom.pastdev.httpcomponents:configuration ×é¼þ¿â±£´æ²»Çå¾²µÄ·´ÐòÁл¯¡£¡£¡£¡£¡£¡£


issue:2814

¸ÃÎÊÌâÊÇÓÉÓÚbr.com.anteros:Anteros-DBCP ×é¼þ¿â±£´æ²»Çå¾²µÄ·´ÐòÁл¯£¬£¬£¬£¬£¬ÒÑ·ÖÅÉCVE±àºÅ£ºCVE-2020-24616¡£¡£¡£¡£¡£¡£


issue:2826

¸ÃÎÊÌâÊÇÓÉÓÚcom.nqadmin.rowset:jdbcrowsetimpl ×é¼þ¿â±£´æ²»Çå¾²µÄ·´ÐòÁл¯¡£¡£¡£¡£¡£¡£


issue:2827

¸ÃÎÊÌâÊÇÓÉÓÚorg.arrahtec:profiler-core ×é¼þ¿â±£´æ²»Çå¾²µÄ·´ÐòÁл¯¡£¡£¡£¡£¡£¡£


0x02 ´¦Öóͷ£½¨Òé


Éý¼¶µ½×îеİ汾£¬£¬£¬£¬£¬ÈçÔÝʱÎÞ·¨Éý¼¶£¬£¬£¬£¬£¬½¨Òéեȡ»¥ÁªÍø»á¼û·´ÐòÁл¯½Ó¿Ú¡£¡£¡£¡£¡£¡£


0x03 Ïà¹ØÐÂÎÅ


0x04 ²Î¿¼Á´½Ó


https://github.com/Fasterxml/jackson-databind/issues/2798

https://github.com/FasterXML/jackson-databind/issues/2814

https://github.com/Fasterxml/jackson-databind/issues/2826

https://github.com/Fasterxml/jackson-databind/issues/2827


0x05 Ê±¼äÏß


2020-08-27 VSRCÐû²¼Îó²îͨ¸æ


vsrc.png