CVE-2020-36518 PoC — FasterXML jackson-databind 缓冲区错误漏洞

Source

https://github.com/ghillert/boot-jackson-cve

Associated Vulnerability

Title:FasterXML jackson-databind 缓冲区错误漏洞 (CVE-2020-36518)
Description:jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Description

Reproduction of CVE-2020-36518 in Spring Boot 2.5.10

Readme

# Reproduction of CVE-2020-36518 in Spring Boot 2.5.10

Execute:

```bash
./mvnw clean verify
```

It will fail with:

```
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.0:check (default) on project jackson-demo:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] jackson-databind-2.12.6.jar: CVE-2020-36518(7.5)
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR]
```

File Snapshot


 [4.0K]  /data/pocs/25546891949b9501be8b58d749cab145eb5faeeb
├── [ 10K]  mvnw
├── [6.6K]  mvnw.cmd
├── [1.6K]  pom.xml
├── [ 510]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  com
    │   │       └── [4.0K]  hillert
    │   │           └── [4.0K]  boot
    │   │               └── [4.0K]  jackson
    │   │                   └── [ 327]  JacksonDemoApplication.java
    │   └── [4.0K]  resources
    │       └── [   1]  application.properties
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  hillert
                    └── [4.0K]  boot
                        └── [4.0K]  jackson
                            └── [ 221]  JacksonDemoApplicationTests.java

14 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!