Search for packages
| purl | pkg:deb/debian/jackson-databind@2.14.0%2Bds-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-16af-yv1z-xufy | jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. |
CVE-2019-17531
GHSA-gjmw-vf9h-g25v |
| VCID-2cup-9gdn-yyhk | jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. |
CVE-2021-46877
GHSA-3x8x-79m2-3w2w |
| VCID-2qzn-mkhg-1qh3 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). |
CVE-2020-11111
GHSA-v3xw-c963-f5hc |
| VCID-2x39-rsxh-rkgw | Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `jboss-common-core` class from polymorphic deserialization. |
CVE-2018-19362
GHSA-c8hm-7hpq-7jhg |
| VCID-3qjf-azsa-fbek | Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). |
CVE-2020-14060
GHSA-j823-4qch-3rgm |
| VCID-3wa1-khqf-x7fv | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). |
CVE-2020-10968
GHSA-rf6r-2c4q-2vwg |
| VCID-4an1-3hs5-3yd6 | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. |
CVE-2020-36183
GHSA-9m6f-7xcq-8vf8 |
| VCID-4vx2-s262-ckbp | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`. |
CVE-2020-36188
GHSA-f9xh-2qgp-cq57 |
| VCID-56sb-829v-6qbz | Information Disclosure A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. |
CVE-2019-12814
GHSA-cmfg-87vq-g5g4 |
| VCID-5qfd-jjh1-d3fx | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). |
CVE-2020-10673
GHSA-fqwf-pjwf-7vqv |
| VCID-5r6v-ej7d-ubgv | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. |
CVE-2018-12022
GHSA-cjjf-94ff-43w7 |
| VCID-5te6-415m-c7df | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. |
CVE-2020-24750
GHSA-qjw2-hr98-qgfh |
| VCID-6xn4-4gfc-tbgj | Deserialization of untrusted data in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. |
CVE-2019-14439
GHSA-gwp4-hfv6-p7hw |
| VCID-6zee-aqcc-vfbp | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. |
CVE-2018-11307
GHSA-qr7j-h6gg-jmgc |
| VCID-75mz-c1ds-vqed | Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `slf4j-ext` class from polymorphic deserialization. |
CVE-2018-14718
GHSA-645p-88qh-w398 |
| VCID-7qga-wsz6-kqcn | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. |
CVE-2020-36182
GHSA-89qr-369f-5m5x |
| VCID-8h7y-y4pv-cyd3 | jackson-databind vulnerable to unsafe deserialization The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`. |
CVE-2020-10650
GHSA-rpr3-cw39-3pxh GMS-2022-2955 |
| VCID-8ns6-kacn-dkeg | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. |
CVE-2020-36189
GHSA-vfqx-33qm-g869 |
| VCID-8tmq-zbmb-m7h4 | jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
CVE-2019-16943
GHSA-fmmc-742q-jg75 |
| VCID-96pq-m4f3-zbad | Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking. |
CVE-2019-20330
GHSA-gww7-p5w4-wrfv |
| VCID-9h46-72hw-bkcr | Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
CVE-2022-42003
GHSA-jjjh-jjxp-wpff |
| VCID-9qdt-7p83-4yd8 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. |
CVE-2020-10969
GHSA-758m-v56v-grj4 |
| VCID-9wej-f7zx-pfeq | Information exposure in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. |
CVE-2019-12086
GHSA-5ww9-j83m-q7qx |
| VCID-a5sk-5grx-eyaf | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). |
CVE-2020-11619
GHSA-27xj-rqx5-2255 |
| VCID-avut-gmwd-jqfp | Polymorphic Typing in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
CVE-2019-16942
GHSA-mx7p-6679-8g3q |
| VCID-bc2x-rwrd-tya6 | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. |
CVE-2017-17485
GHSA-rfx6-vp9g-rh7v |
| VCID-bydt-bkf4-rbh2 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). |
CVE-2020-9546
GHSA-5p34-5m6p-p58g |
| VCID-bypv-wfhs-sbe4 | Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`. |
CVE-2019-14540
GHSA-h822-r4r5-v8jg |
| VCID-ceub-d4s9-dkcd | Deserialization of Untrusted Data A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the `readValue` method of the `ObjectMapper`. |
CVE-2017-15095
GHSA-h592-38cm-4ggp |
| VCID-cytp-mr4h-g3ds | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. |
CVE-2020-36184
GHSA-m6x4-97wx-4q27 |
| VCID-ec58-s3nd-7yaz | Deserialization of untrusted data in jackson-databind A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
CVE-2021-20190
GHSA-5949-rw7g-wx7w |
| VCID-fafy-ugq3-cfbn | Server-Side Request Forgery (SSRF) FasterXML jackson-databind might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the `axis2-jaxws` class from polymorphic deserialization. |
CVE-2018-14721
GHSA-9mxf-g3x6-wv74 |
| VCID-g6up-yqg8-nbep | Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `blaze-ds-opt` and `blaze-ds-core` classes from polymorphic deserialization. |
CVE-2018-14719
GHSA-4gq5-ch57-c2mg |
| VCID-g8gt-d7gz-13e6 | Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. |
CVE-2018-19360
GHSA-f9hv-mg5h-xcw9 |
| VCID-gtzx-y5f1-vye3 | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`. |
CVE-2020-36181
GHSA-cvm9-fjm9-3572 |
| VCID-hwnx-vf4v-f3db | Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). |
CVE-2020-24616
GHSA-h3cw-g4mq-c5x2 |
| VCID-jcgb-bewy-4kff | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`. |
CVE-2020-36185
GHSA-8w26-6f25-cm9x |
| VCID-jvp6-892x-nkc7 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). |
CVE-2020-9548
GHSA-p43x-xfjf-5jhr |
| VCID-jx9y-fyfm-bqdr | Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. |
CVE-2019-16335
GHSA-85cw-hj65-qqv9 |
| VCID-m7jp-7n22-4qg8 | Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `openjpa` class from polymorphic deserialization. |
CVE-2018-19361
GHSA-mx9v-gmh4-mgqw |
| VCID-pnt3-1ssq-tqau | Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). |
CVE-2020-14061
GHSA-c2q3-4qrh-fm48 |
| VCID-ruae-hqdg-m7ek | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). |
CVE-2020-9547
GHSA-q93h-jc49-78gg |
| VCID-svkb-adja-qfef | Improper Input Validation in jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. |
CVE-2019-17267
GHSA-f3j5-rmmp-3fc5 |
| VCID-sw29-epz3-g7ep | Improper Restriction of XML External Entity Reference FasterXML jackson-databind might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. |
CVE-2018-14720
GHSA-x2w5-5m2g-7h5m |
| VCID-swqd-uk56-wkat | Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. |
CVE-2020-35491
GHSA-r3gr-cxrf-hg25 |
| VCID-tkej-jh51-s7g5 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). |
CVE-2020-11112
GHSA-58pp-9c76-5625 |
| VCID-tm7y-tnx3-43dq | Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. |
CVE-2019-14893
GHSA-qmqc-x3r4-6v39 |
| VCID-twvp-wxff-zka2 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). |
CVE-2020-11113
GHSA-9vvp-fxw6-jcxr |
| VCID-u87p-2xgz-e3fj | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. |
CVE-2020-36187
GHSA-r695-7vr9-jgc2 |
| VCID-uhnv-3cny-qkgx | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`. |
CVE-2020-36179
GHSA-9gph-22xh-8x98 |
| VCID-ukwd-7rkh-sfhj | Deserialization of Untrusted Data FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). |
CVE-2020-35728
GHSA-5r5r-6hpj-8gg9 |
| VCID-unwq-s63h-uuaw | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. |
CVE-2018-5968
GHSA-w3f4-3q6j-rh82 |
| VCID-uygc-h93v-vuh8 | Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). |
CVE-2020-14062
GHSA-c265-37vj-cwcc |
| VCID-v2pq-1qhm-4qb9 | Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
CVE-2022-42004
GHSA-rgv9-q543-rqg4 |
| VCID-v6ek-y7cn-kycd | Uncontrolled Resource Consumption jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
CVE-2020-36518
GHSA-57j2-w4cx-62h2 |
| VCID-v84e-sf92-dqa1 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. |
CVE-2017-7525
GHSA-qxxx-2pp7-5hmx |
| VCID-w51e-ntqd-8bbg | XML External Entity (XXE) Injection in Jackson Databind A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. |
CVE-2020-25649
GHSA-288c-cq4h-88gq |
| VCID-wdgx-34uc-2qa4 | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). |
CVE-2020-10672
GHSA-95cm-88f5-f2c7 |
| VCID-wds4-urpb-euby | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`. |
CVE-2020-36186
GHSA-v585-23hc-c647 |
| VCID-wg36-q48g-mkds | Deserialization of untrusted data in FasterXML jackson-databind SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. |
CVE-2019-14379
GHSA-6fpp-rgj9-8rwc |
| VCID-x4fr-ena4-47fe | jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). |
CVE-2020-11620
GHSA-h4rc-386g-6m85 |
| VCID-x6g1-qw1v-jbas | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. |
CVE-2018-7489
GHSA-cggj-fvv3-cqwv |
| VCID-x8c2-2u1w-yyfn | Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. |
CVE-2019-14892
GHSA-cf6r-3wgc-h863 |
| VCID-xnyb-nuwm-pkdr | Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. |
CVE-2020-8840
GHSA-4w82-r329-3q67 |
| VCID-ygs8-4gxq-kygq | Deserialization of Untrusted Data in FasterXML jackson-databind FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. |
CVE-2019-12384
GHSA-mph4-vhrx-mv67 |
| VCID-yp37-9z2d-akaj | Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. |
CVE-2020-36180
GHSA-8c4j-34r4-xr8g |
| VCID-ypbt-p34k-hfbc | Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. |
CVE-2020-35490
GHSA-wh8g-3j2c-rqj5 |
| VCID-zdwv-ycey-myfc | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. |
CVE-2018-12023
GHSA-6wqp-v4v6-c87c |
| VCID-ze79-6kcg-nfcp | Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). |
CVE-2020-14195
GHSA-mc6h-4qgp-37qh |