Description

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.

It was determined that your web application performs JSON deserialization of user-supplied data using Jackson library with the support of Polymorphic Type Handling. Polymorphic Type Handling could be quite unsafe, and should carefully be performed on untrusted data. Consult Web references section for more information about this issue.

Remediation

Turn off Polymorphic Type Handling for Jackson databind library. Upgrage Jackson databind library to the most recent version.

References

Related Vulnerabilities