CVE-2020-5411 Information

Description

When configured to enable default typing Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known \deserialization gadgets. Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit arbitrary code could be executed if all of the following is true: LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext. LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown \deserialization gadgets\ when enabling default typing.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://tanzu.vmware.com/security/cve-2020-5411

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1