A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
or when @JsonTypeInfo is using Id.CLASS
or Id.MINIMAL_CLASS
or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.
The following conditions are needed for an exploit, we recommend avoiding all if possible:
enableDefaultTyping()
@JsonTypeInfo using
id.CLASSor
id.MINIMAL_CLASS`