Jackson Core Information Disclosure Vulnerability via Misleading Exception Messages

A memory disclosure vulnerability has been identified in Jackson Core versions 2.0.0 prior to 2.13.0. The issue arises in the `JsonLocation._appendSourceDesc` method, where up to 500 bytes of unintended memory content can be included in exception messages. This flaw occurs when parsing JSON from a byte array with a specified offset and length, as the exception message incorrectly references the beginning of the array instead of the logical payload start. Consequently, this vulnerability can lead to information disclosure in systems that utilize pooled or reused buffers, such as Netty or Vert.x.

Impact

Exploitation of this vulnerability can result in the unintentional leakage of sensitive information from memory, such as credentials or other private data, through exception messages. This is particularly problematic in server applications that use pooled byte buffers and include parsing error details in HTTP responses.

Reproduction

The vulnerability can be reproduced by using the `ObjectMapper.readValue(byte[], int offset, int len, TypeReference)` method to deserialize JSON data. If the deserialization fails due to malformed JSON, the resulting exception will incorrectly indicate that the error originated from the beginning of the buffer. This can be demonstrated by crafting a byte array that includes both valid and invalid JSON, and then parsing it with an offset that skips the valid portion.

Remediation

Users are advised to upgrade to Jackson Core version 2.13.0 or later. If an immediate upgrade is not possible, the vulnerability can be mitigated by disabling the exposure of exception messages to clients and by turning off the inclusion of source data in exception messages.