GHSA-rcqc-6cw3-h962MediumCVSS 6.5
jackson-databind has a @JsonView bypass for unwrapped creator parameters
🔗 CVE IDs covered (1)
📋 Description
Summary
UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.
Impact
View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.
Affected / Patched (verified via git tag --contains)
- 2.21 line:
>= 2.21.0, < 2.21.4-> fixed in 2.21.4 (backport721fa07, #5973) - 3.x line:
>= 3.0.0, < 3.1.4-> fixed in 3.1.4 (#5971,d633bc0)
Severity / CWE
Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
🎯 Affected products2
- maven/com.fasterxml.jackson.core:jackson-databind:>= 2.21.0, < 2.21.4
- maven/tools.jackson.core:jackson-databind:>= 3.0.0, < 3.1.4
🔗 References (6)
- https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rcqc-6cw3-h962
- https://github.com/FasterXML/jackson-databind/pull/5971
- https://github.com/FasterXML/jackson-databind/pull/5973
- https://github.com/FasterXML/jackson-databind/commit/721fa07ebbd4aab4a659a1a68940878315c3e341
- https://github.com/FasterXML/jackson-databind/commit/d633bc038f200c1397c07f1a2b46f58e72c91eea
- https://github.com/advisories/GHSA-rcqc-6cw3-h962