来源:Jackson官网
发布日期:2021-09-04
阅读次数:648
评论:0
更新标题
Block 2 more gadget types
更新详情
Another gadget type(s) reported regarding class(es) of [library to include on publish] library.
(see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem).
The current criteria for considering a block is specified as follows:
https://github.com/FasterXML/jackson/wiki/Jackson-Polymorphic-Deserialization-CVE-Criteria
and the reported type(s) fulfill the criteria.
Reporter(s):
Mitre id(s):
* Not (yet?) requested
Fix would be included in:
* 2.9.10.9 (usable via `jackson-bom` version ---) if fix is released
* Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)
评论