Jackson-core, Information Disclosure, CVE-2021-22145 (Medium)

Listen to this Post

How the CVE Works

The vulnerability exists in `JsonLocation._appendSourceDesc` within Jackson-core, where exception messages incorrectly read from the start of a byte array instead of the specified offset. When parsing JSON using JsonFactory.createParser(byte[] data, int offset, int len), an error triggers an exception that includes a snippet of the source data. Due to the flawed implementation, the method ignores the offset, exposing residual data from previous operations. This affects systems using pooled buffers (e.g., Netty, Vert.x), potentially leaking sensitive information like credentials or session tokens in HTTP error responses.

DailyCVE Form

Platform: Jackson-core
Version: <2.13.0
Vulnerability: Memory leak
Severity: Medium
Date: 2021-09-30

Prediction: Patch available

What Undercode Say:

Exploitation:

  1. Attacker sends malformed JSON to a Jackson-based service.
  2. Server reuses a pooled buffer containing residual data.

3. Exception message exposes unintended memory content.

Mitigation:

1. Upgrade to Jackson-core ≥2.13.0.

2. Disable source inclusion:

jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);

3. Filter exception messages in HTTP responses.

Detection:

grep -r "JsonFactory.createParser" /path/to/code

Proof of Concept (PoC):

byte[] buffer = new byte[bash];
System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6);
System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10);
JsonParser parser = new JsonFactory().createParser(buffer, 700, 20);
parser.nextToken(); // Throws exception exposing "SECRET"

Log Analysis:

cat server.log | grep "JsonParseException"

Network Protection:

Block malformed JSON early
location /api {
if ($request_body ~ "[\x00-\x1F]") { return 400; }
}

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top