Java: Unsafe deserialization with Jackson #368
Comments
artem-smotrakov
added
the
All For One
|
Your submission is now in status SecLab review. For information, the evaluation workflow is the following: |
|
Your submission is now in status FP Check. For information, the evaluation workflow is the following: |
|
Your submission is now in status CodeQL review. For information, the evaluation workflow is the following: |
|
Your submission is now in status SecLab finalize. For information, the evaluation workflow is the following: |
|
FYI I wrote a blog post about detecting Jackson deserialization vulnerabilities with CodeQL. |
|
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
|
Created Hackerone report 1287573 for bounty 323069 : [368] Java: Unsafe deserialization with Jackson |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
artem-smotrakov commentedMay 15, 2021
•
edited
Query
github/codeql#5900
CVE ID(s)
Report
Deserialization of untrusted data with Jackson is known to be dangerous:
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
I'd like to propose to add sinks for Jackson to
UnsafeDeserialization.ql.There are multiples CVEs for deserialization gadgets for Jackson Databind:
https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
Those CVEs create quite a lot of noise because many applications don't use polymorphic typing. The query would help check if applications are really affected by such CVEs. On the other hand, if an application actually turns on polymorphic typing, and deserializes data from remote peers, that would be a significant security risk that can be identified by this query.
I
am planning to writewrote a blog post about detecting such issues.Result(s)
2.16.4.The text was updated successfully, but these errors were encountered: