【安全漏洞】jackson-databind漏洞、 异常NoClassDefFoundError: Could not initialize class com.fasterxml.jackson

最新推荐文章于 2024-08-08 14:04:36 发布
最新推荐文章于 2024-08-08 14:04:36 发布
阅读量1.4w 收藏 15
点赞数 7
分类专栏: Java 分布式、微服务 文章标签: jackson-databind漏洞
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/kzadmxz/article/details/97191101
版权

一、jackson-databind漏洞

       国家信息安全漏洞库:http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201906-867 

        

 

二、发现项目中有使用2.6.3版本的jackson,所以进行升级

     jackson-databind 升级到2.9.9.1、  jackson-core升级到2.9.9

             <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
                <artifactId>jackson-core</artifactId>
                <version>2.9.9</version>
            </dependency>
            <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
                <artifactId>jackson-databind</artifactId>
                <version>2.9.9.1</version>
            </dependency>

 

 

三、测试环境发布时,报错,如下

2019-07-24 20:59:52,770 ERROR  localhost-startStop-1 [TomcatStarter] Error starting Tomcat context. 
Exception: org.springframework.beans.factory.BeanCreationException. 
Message: Error creating bean with name 'httpPutFormContentFilter' defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.class]: Bean instantiation via factory method failed; 
nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.web.filter.OrderedHttpPutFormContentFilter]: Factory method 'httpPutFormContentFilter' threw exception; 
nested exception is java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
2019-07-24 20:59:52,836 INFO   main [StandardService] Stopping service [Tomcat]
2019-07-24 20:59:52,983 WARN   localhost-startStop-1 [WebappClassLoaderBase] The web application [express-as] appears to have started a thread named [RxIoScheduler-1 (Evictor)] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 sun.misc.Unsafe.park(Native Method)
 java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
 java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
 java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1093)
 java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:8
最低0.47元/天 解锁文章
开着奥迪卖小猪
关注
专栏目录
CVE-2020-36189 jackson-databind java反序列化漏洞
mirocky的博客
10-13 2719
该方法允许json字符串中指定反序列化java对象的类名,而在使用Object、Map、List等对象时,可诱发反序列化漏洞,导致可执行任意命令。com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource类中实现了url的输入和调用,通过可控的url进行payload的打入,即可依靠ObjectMapper的反序列化漏洞实现SSRF和RCE。,}]的形式,将对象的参数的类名打印,是json中的类名。
fasterxml jackson 的包冲突太垃圾太恶心了: Could not initialize class com.fasterxml.jackson.databind.Seriali......
程序员光剑
07-09 9189
Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.SerializationConfig at com.fasterxml.jackson.databind.ObjectMapper.<init>(ObjectMapper.java...
NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
热门推荐
zhi_ai_yaya的专栏
06-22 1万+
Springboot2.x对web的支持报jackson错误。 pom.xml加上这段 <!-- 解决构建失败问题 --> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databin...
java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/ser/std/ToStringSerializerBase
最新发布
qq_38254635的博客
08-08 359
java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/ser/std/ToStringSerializerBase
NoClassDefFoundError Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
小人物的草稿本
03-28 2748
应用启动异常:Factory method 'jacksonObjectMapper' threw exception; nested exception is java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.ObjectMapper ll is not a number, throw NumberFormatException. Stopping available co
安全漏洞jackson-databind漏洞异常NoClassDefFoundError: Could not initialize class com.fasterxml.jackson
Half of if的博客
10-09 632
一、jackson-databind漏洞 https://blog.csdn.net/kzadmxz/article/details/97191101
spring boot中使用jackson出现java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jack
zhuge134的博客
12-31 7442
Jackson Dependency Issue in Spring Boot with Maven Build In this article, a Spring Boot 1.3.3 dependency issue is explored and an override is provided.  by  John Thompson     · May. 23, 16 · Java ...
Jackson-databind 反序列化漏洞(CVE-2017-7525、CVE-2017-17485)
zzzzz1284的博客
03-13 1322
CVE-2017-7525、CVE-2017-17485
Could not write JSON: Error creating bean with name 'com.chinagpay.manage.utils.convert.ProductSerializer': Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: Could not initialize class com.chinagpay.manage.utils.convert.ProductSerializer; nested exception is com.fasterxml.jackson.databind.JsonMappingException: Error creating bean with name 'com.chinagpay.manage.utils.convert.ProductSerializer': Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: Could not initialize class com.chinagpay.manage.utils.convert.ProductSerializer (through reference chain: com.chinagpay.manage.model.BaseListResponse["dataList"]->java.util.ArrayList[0])]这个报错怎么解决
06-06
这个错误通常是由于缺少依赖库或者类加载器的问题引起的。你可以尝试以下几个步骤来解决这个问题: 1. 检查你的项目依赖,确保所有需要的库都已经被正确引入。 2. 检查你的类加载器配置,确保类加载器能够找到所需...
sqoop1.4.7+hive2.3.6+hadoop2.8.5+mysql8.0兼容遇到的一些问题
BackToMe的博客
09-21 1563
sqoop 跑任务时,出现 Sqoop:Import failed:java.lang.ClassNotFoundException:org.apache.hadoop.hive.conf.HiveConf 在profile中加入 export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$HIVE_HOME/lib/* 在sqoop-env.sh加入 HIVE_CON...
jackson-databind-vuln:Jackson Databind漏洞
05-26
杰克逊·德宾宾·沃恩 Jackson Databind漏洞
jackson-CVE-2020-8840:FasterXMLjackson-databind远程代码执行漏洞
03-08
CVE-2020-8840 FasterXML / jackson-databind远程代码执行漏洞
zeppelin使用中的问题汇总
简单就好
03-03 5261
1、使用zeppelin 0.6.2的spark interpreter报错报错:java.lang.NoClassDefFoundError: Could not initialize class org.apache.spark.rdd.RDDOperationScope$ Interpreter output:com.fasterxml.jackson.databind.JsonMapping
SpringBoot 因为jackson版本问题启动失败
风雨的博客
05-10 1万+
解决因为版本问题的报错 pom.xml <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.3...
java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.ObjectMapp
快乐小咸鱼007的博客
09-16 1万+
springboot2.X整合mybatis plus3.X坑系列 解决办法:引入以下依赖 &amp;amp;amp;amp;lt;!-- 解决构建失败问题 --&amp;amp;amp;amp;gt; &amp;amp;amp;amp;lt;dependency&amp;amp;amp;amp;gt; &amp;amp;amp;amp;lt;groupId&amp;amp;amp;amp;gt;
Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
qqnbsp的博客
06-16 7496
部署到docker,报错如下: 2020-06-15 23:22:21.524 --- [ main] : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfig.
springboot项目启动失败Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
u010034713的博客
12-11 1万+
项目启动报错 org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat at org.springframework.boot.web.servlet.context.Servl
Could not initialize class com.fasterxml.jackson
weixin_45788869的博客
03-12 3434
Optional Chaining 是 JavaScript 的一个新特性,它允许我们在尝试访问对象的属性之前检查对象是否存在。其他语言也有类似的东西,例如,C# 的 Null Conditional 操作符,与 Optional Chaining 非常类似。 JavaScript 中的长属性访问链很容易出错,因为它们中的任何一个都可能评估为null或undefined(也称为“空”值)。要在每个...
评论 5
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值