DerScanner
Home / Vulnerability Database / Kotlin : Unsafe JSON deserialization (Jackson)
Kotlin

Kotlin : Unsafe JSON deserialization (Jackson)

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA8-Insecure Deserialization
OWASP Top 10 2021
A3-InjectionA8-Software and Data Integrity Failures
OWASP MASVS
V6: 6.8.(L1/L2/L1+R/L2+R)
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-502CWE-1027
CWE/SANS Top 25 2021
CWE-502

Overview

Java code that deserializes JSON strings from untrusted sources can be vulnerable to a variety of attacks, including remote command execution (RCE), denial of service (DoS) and others.

References

  1. Deserialization
  2. CWE-502: Deserialization of Untrusted Data
  3. On Jackson CVEs: Don’t Panic - Here is what you need to know
  4. Class ObjectMapper
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix Kotlin : Unsafe JSON deserialization (Jackson) in your application?

See also

Kotlin

Kotlin : Missing required cryptographic step

Kotlin

Kotlin : Logging into system output

Kotlin

Kotlin : Call of notify() in synchronized block