关联漏洞
Description
CVE-2019-10172 PoC and Possible mitigations
介绍
## CVE-2019-10172 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
There is no known non-vulnerable version of this component/package.
It is recommended to investigate alternative components or a potential mitigating control.
## Mitigation
1. (Desirable) Try to switch from usage of com.codehaus.jackson to com.fasterxml.jackson for all the cases and remove com.codehaus.jackson libs
2. Use the patched library: see https://github.com/FasterXML/jackson-1/blob/master/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
https://github.com/FasterXML/jackson-1/blob/master/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
where _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) is set
文件快照
[4.0K] /data/pocs/0b01e4157b4de2379bbe6e38919598fa337a1c52
├── [1.0K] pom.xml
├── [ 754] README.md
└── [4.0K] src
├── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] github
│ └── [4.0K] rusakovichma
│ └── [4.0K] cve201910172
│ ├── [4.0K] model
│ │ └── [ 295] Person.java
│ ├── [4.0K] secure
│ │ └── [2.5K] DOMDeserializer.java
│ ├── [ 766] SecureDOMDeserializer.java
│ └── [ 759] VulnerableDOMDeserializer.java
└── [4.0K] test
├── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] github
│ └── [4.0K] rusakovichma
│ └── [4.0K] cve201910172
│ ├── [ 615] SecureDOMDeserializerTest.java
│ ├── [4.0K] util
│ │ └── [ 513] ResourceUtils.java
│ └── [1.3K] VulnerableDOMDeserializerTest.java
└── [4.0K] resources
├── [ 225] poc1.xml
├── [ 219] poc2.xml
└── [ 851] poc3.xsl
17 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。