This is PoC with two different gadgets to reproduce CVE-2018-5968 which can be used to exploit the default typing in jackson-databind.
Jackson-databind allows developers to use default-typing to handle polymorph fields when unmarshalling the json
to Java Object
. When developers open this feature by calling ObjectMapper.enableDefaultTyping()
method, it can be dangerous when the input is controlled by attackers.
Jackson-databind has a blacklist mechanism to avoid unmarshalling some dangerous classes. These classes are called gadgets. Now in this project, you will see that how can I use two different gadgets to bypass this blacklist and exploit to RCE vulnerability successfully.
MITRE assigned CVE-2018-5968 to this issue.
Through 2.8.11 and 2.9.x through 2.9.3
This issue was fixed in 2.9.4. So just update to the lastest version of jackson-databind to avoid potential risks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968