Jackson-databind and Default Typing Vulnerabilities

5 years ago

source link: https://javachannel.org/posts/jackson-databind-and-default-typing-vulnerabilities/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Today, GitHub sent out security notices to owners of projects using old jackson-databind versions (older than 2.8.11.1 and 2.9.5). These notices pertain to this issue. I have talked about its relevance before on IRC, but since it is getting more attention now, I will describe it here again. The “bug” comes from using t

Recommend

The OpenJDK Community TCK License Agreement (OCTLA) | Oracle Java Platform Group...
Subtyping vs. Parametrization for a Complex Domain - DZone Java
Learning from Pain | Benji's Blog -
JVM Ecosystem Report 2018 | Snyk
Simple Token Authentication for Java Apps | Okta Developer
苹果发"变脸"风格邀请函：本月30日新iPad Pro要来？
长租公寓咖啡猫连环套爆雷:数百业主中招总额超千万
谷歌被迫对地图等软件收费日媒：中企反应备受关注
特斯拉推出“中距离”版Model 3 售价4.5万美元
京东开启个人快递业务：同城11元起承诺丢一赔九

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK