Deserialization of Untrusted Data
FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable via two different gadgets that bypass a denylist.
jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the `readValue` method of the `ObjectMapper`, bypassing a denylist that is ineffective if the Spring libraries are available in the classpath.