// For flags

CVE-2020-5411

Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets"

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true: * Spring Batch's Jackson support is being leveraged to serialize a job's ExecutionContext. * A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack, Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown "deserialization gadgets" when enabling default typing.

Cuando se configuró para habilitar la escritura predeterminada, Jackson contenía una vulnerabilidad de deserialización que podría conllevar a una ejecución de código arbitraria. Jackson corrigió esta vulnerabilidad al incluir en la lista negra los "deserialization gadgets" conocidos. Spring Batch configura Jackson con la escritura predeterminada global habilitada, lo que significa que por medio de una explotación previa, se podría ejecutar un código arbitrario si se cumple todo lo siguiente: * El soporte Jackson de Spring Batch se está siendo aprovechado para serializar un ExecutionContext de trabajo. * Un usuario malicioso consigue acceso de escritura al almacén de datos usado por JobRepository (donde se almacenan los datos que son deserializados). A fin de protegerse contra este tipo de ataque, Jackson evita que se deserialice un conjunto de clases de gadget no confiables. Spring Batch debe ser proactivo contra el bloqueo de "deserialization gadgets" desconocidos cuando se habilita una escritura predeterminada

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-03 CVE Reserved
  • 2020-06-11 CVE Published
  • 2024-09-06 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://tanzu.vmware.com/security/cve-2020-5411 2020-08-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Pivotal Software
Search vendor "Pivotal Software"
 Spring Batch
Search vendor "Pivotal Software" for product "Spring Batch"
 >= 4.0.0 <= 4.0.4
Search vendor "Pivotal Software" for product "Spring Batch" and version " >= 4.0.0 <= 4.0.4"
-
Affected
Pivotal Software
Search vendor "Pivotal Software"
 Spring Batch
Search vendor "Pivotal Software" for product "Spring Batch"
 >= 4.1.0 <= 4.1.4
Search vendor "Pivotal Software" for product "Spring Batch" and version " >= 4.1.0 <= 4.1.4"
-
Affected
Pivotal Software
Search vendor "Pivotal Software"
 Spring Batch
Search vendor "Pivotal Software" for product "Spring Batch"
 >= 4.2.0 <= 4.2.2
Search vendor "Pivotal Software" for product "Spring Batch" and version " >= 4.2.0 <= 4.2.2"
-
Affected