Listen to this Post
How the CVE Works
The vulnerability exists in `JsonLocation._appendSourceDesc` within Jackson-core, where exception messages incorrectly read from the start of a byte array instead of the specified offset. When parsing JSON using JsonFactory.createParser(byte[] data, int offset, int len)
, an error triggers an exception that includes a snippet of the source data. Due to the flawed implementation, the method ignores the offset, exposing residual data from previous operations. This affects systems using pooled buffers (e.g., Netty, Vert.x), potentially leaking sensitive information like credentials or session tokens in HTTP error responses.
DailyCVE Form
Platform: Jackson-core
Version: <2.13.0
Vulnerability: Memory leak
Severity: Medium
Date: 2021-09-30
Prediction: Patch available
What Undercode Say:
Exploitation:
- Attacker sends malformed JSON to a Jackson-based service.
- Server reuses a pooled buffer containing residual data.
3. Exception message exposes unintended memory content.
Mitigation:
1. Upgrade to Jackson-core ≥2.13.0.
2. Disable source inclusion:
jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);
3. Filter exception messages in HTTP responses.
Detection:
grep -r "JsonFactory.createParser" /path/to/code
Proof of Concept (PoC):
byte[] buffer = new byte[bash]; System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6); System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10); JsonParser parser = new JsonFactory().createParser(buffer, 700, 20); parser.nextToken(); // Throws exception exposing "SECRET"
Log Analysis:
cat server.log | grep "JsonParseException"
Network Protection:
Block malformed JSON early location /api { if ($request_body ~ "[\x00-\x1F]") { return 400; } }
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode