CVE-2020-10968: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). The vulnerability was discovered and reported by XuYuanzhen of Alibaba Cloud Security Team (CVE Details).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind versions prior to 2.9.10.4. The specific issue relates to the handling of org.aoju.bus.proxy.provider.remoting.RmiProvider class. Starting from 2.10 series, this vulnerability is mitigated as Safe Default Typing is enabled by default, but it remains an issue when Default Typing is explicitly enabled (Jackson Blog).

A successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has a CVSS v3.1 Base Score of 8.8 (High), indicating significant potential impact on confidentiality, integrity and availability (NetApp Advisory).

The primary mitigation is to upgrade jackson-databind to version 2.9.10.4 or later. For users on version 2.10 and above, the vulnerability is mitigated by default due to Safe Default Typing being enabled. However, if Default Typing is explicitly enabled, the vulnerability may still be present. Organizations should review their jackson-databind implementation and ensure they are using the latest patched version (GitHub Issue).