BugTraq
Name:
Email:
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Subject:
Message:
 
CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used Jan 09 2018 08:23AM
Imre Rad (radimre83 gmail com)
Jackson-databind is a popular library in Java for JSON
marshalling/unmarshalling.

It has a feature called default-typing: when the target class has some
polymorph fields inside (such as interfaces, abstract classes or the
Object base class), the library can include type info into the JSON
structure...

[ more ]  
 

Privacy Statement
Copyright 2010, SecurityFocus