Search for packages
| purl | pkg:deb/debian/jackson-databind@2.4.2-2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16af-yv1z-xufy
Aliases: CVE-2019-17531 GHSA-gjmw-vf9h-g25v |
jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. |
Affected by 1 other vulnerability. |
|
VCID-2qzn-mkhg-1qh3
Aliases: CVE-2020-11111 GHSA-v3xw-c963-f5hc |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). |
Affected by 1 other vulnerability. |
|
VCID-2x39-rsxh-rkgw
Aliases: CVE-2018-19362 GHSA-c8hm-7hpq-7jhg |
Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `jboss-common-core` class from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-3qjf-azsa-fbek
Aliases: CVE-2020-14060 GHSA-j823-4qch-3rgm |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). |
Affected by 1 other vulnerability. |
|
VCID-3wa1-khqf-x7fv
Aliases: CVE-2020-10968 GHSA-rf6r-2c4q-2vwg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). |
Affected by 1 other vulnerability. |
|
VCID-4an1-3hs5-3yd6
Aliases: CVE-2020-36183 GHSA-9m6f-7xcq-8vf8 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. |
Affected by 1 other vulnerability. |
|
VCID-4vx2-s262-ckbp
Aliases: CVE-2020-36188 GHSA-f9xh-2qgp-cq57 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`. |
Affected by 1 other vulnerability. |
|
VCID-56sb-829v-6qbz
Aliases: CVE-2019-12814 GHSA-cmfg-87vq-g5g4 |
Information Disclosure A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. |
Affected by 50 other vulnerabilities. |
|
VCID-5qfd-jjh1-d3fx
Aliases: CVE-2020-10673 GHSA-fqwf-pjwf-7vqv |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). |
Affected by 1 other vulnerability. |
|
VCID-5r6v-ej7d-ubgv
Aliases: CVE-2018-12022 GHSA-cjjf-94ff-43w7 |
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-5te6-415m-c7df
Aliases: CVE-2020-24750 GHSA-qjw2-hr98-qgfh |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. |
Affected by 1 other vulnerability. |
|
VCID-6xn4-4gfc-tbgj
Aliases: CVE-2019-14439 GHSA-gwp4-hfv6-p7hw |
Deserialization of untrusted data in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-6zee-aqcc-vfbp
Aliases: CVE-2018-11307 GHSA-qr7j-h6gg-jmgc |
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-75mz-c1ds-vqed
Aliases: CVE-2018-14718 GHSA-645p-88qh-w398 |
Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `slf4j-ext` class from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-7qga-wsz6-kqcn
Aliases: CVE-2020-36182 GHSA-89qr-369f-5m5x |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. |
Affected by 1 other vulnerability. |
|
VCID-8h7y-y4pv-cyd3
Aliases: CVE-2020-10650 GHSA-rpr3-cw39-3pxh GMS-2022-2955 |
jackson-databind vulnerable to unsafe deserialization The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`. |
Affected by 1 other vulnerability. |
|
VCID-8ns6-kacn-dkeg
Aliases: CVE-2020-36189 GHSA-vfqx-33qm-g869 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. |
Affected by 1 other vulnerability. |
|
VCID-8tmq-zbmb-m7h4
Aliases: CVE-2019-16943 GHSA-fmmc-742q-jg75 |
jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-96pq-m4f3-zbad
Aliases: CVE-2019-20330 GHSA-gww7-p5w4-wrfv |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking. |
Affected by 1 other vulnerability. |
|
VCID-9h46-72hw-bkcr
Aliases: CVE-2022-42003 GHSA-jjjh-jjxp-wpff |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
Affected by 1 other vulnerability. |
|
VCID-9qdt-7p83-4yd8
Aliases: CVE-2020-10969 GHSA-758m-v56v-grj4 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. |
Affected by 1 other vulnerability. |
|
VCID-9wej-f7zx-pfeq
Aliases: CVE-2019-12086 GHSA-5ww9-j83m-q7qx |
Information exposure in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-a5sk-5grx-eyaf
Aliases: CVE-2020-11619 GHSA-27xj-rqx5-2255 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). |
Affected by 1 other vulnerability. |
|
VCID-avut-gmwd-jqfp
Aliases: CVE-2019-16942 GHSA-mx7p-6679-8g3q |
Polymorphic Typing in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-bc2x-rwrd-tya6
Aliases: CVE-2017-17485 GHSA-rfx6-vp9g-rh7v |
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. |
Affected by 68 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). |
Affected by 1 other vulnerability. |
|
VCID-bypv-wfhs-sbe4
Aliases: CVE-2019-14540 GHSA-h822-r4r5-v8jg |
Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-ceub-d4s9-dkcd
Aliases: CVE-2017-15095 GHSA-h592-38cm-4ggp |
Deserialization of Untrusted Data A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the `readValue` method of the `ObjectMapper`. |
Affected by 68 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-cytp-mr4h-g3ds
Aliases: CVE-2020-36184 GHSA-m6x4-97wx-4q27 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. |
Affected by 1 other vulnerability. |
|
VCID-ec58-s3nd-7yaz
Aliases: CVE-2021-20190 GHSA-5949-rw7g-wx7w |
Deserialization of untrusted data in jackson-databind A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
Affected by 1 other vulnerability. |
|
VCID-fafy-ugq3-cfbn
Aliases: CVE-2018-14721 GHSA-9mxf-g3x6-wv74 |
Server-Side Request Forgery (SSRF) FasterXML jackson-databind might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the `axis2-jaxws` class from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-g6up-yqg8-nbep
Aliases: CVE-2018-14719 GHSA-4gq5-ch57-c2mg |
Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `blaze-ds-opt` and `blaze-ds-core` classes from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-g8gt-d7gz-13e6
Aliases: CVE-2018-19360 GHSA-f9hv-mg5h-xcw9 |
Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-gtzx-y5f1-vye3
Aliases: CVE-2020-36181 GHSA-cvm9-fjm9-3572 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`. |
Affected by 1 other vulnerability. |
|
VCID-hwnx-vf4v-f3db
Aliases: CVE-2020-24616 GHSA-h3cw-g4mq-c5x2 |
Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). |
Affected by 1 other vulnerability. |
|
VCID-jcgb-bewy-4kff
Aliases: CVE-2020-36185 GHSA-8w26-6f25-cm9x |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`. |
Affected by 1 other vulnerability. |
|
VCID-jvp6-892x-nkc7
Aliases: CVE-2020-9548 GHSA-p43x-xfjf-5jhr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). |
Affected by 1 other vulnerability. |
|
VCID-jx9y-fyfm-bqdr
Aliases: CVE-2019-16335 GHSA-85cw-hj65-qqv9 |
Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-m7jp-7n22-4qg8
Aliases: CVE-2018-19361 GHSA-mx9v-gmh4-mgqw |
Deserialization of Untrusted Data FasterXML jackson-databind might allow attackers to have unspecified impact by leveraging failure to block the `openjpa` class from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-pnt3-1ssq-tqau
Aliases: CVE-2020-14061 GHSA-c2q3-4qrh-fm48 |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). |
Affected by 1 other vulnerability. |
|
VCID-ruae-hqdg-m7ek
Aliases: CVE-2020-9547 GHSA-q93h-jc49-78gg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). |
Affected by 1 other vulnerability. |
|
VCID-svkb-adja-qfef
Aliases: CVE-2019-17267 GHSA-f3j5-rmmp-3fc5 |
Improper Input Validation in jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. |
Affected by 1 other vulnerability. |
|
VCID-sw29-epz3-g7ep
Aliases: CVE-2018-14720 GHSA-x2w5-5m2g-7h5m |
Improper Restriction of XML External Entity Reference FasterXML jackson-databind might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-swqd-uk56-wkat
Aliases: CVE-2020-35491 GHSA-r3gr-cxrf-hg25 |
Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. |
Affected by 1 other vulnerability. |
|
VCID-tkej-jh51-s7g5
Aliases: CVE-2020-11112 GHSA-58pp-9c76-5625 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). |
Affected by 1 other vulnerability. |
|
VCID-tm7y-tnx3-43dq
Aliases: CVE-2019-14893 GHSA-qmqc-x3r4-6v39 |
Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. |
Affected by 1 other vulnerability. |
|
VCID-twvp-wxff-zka2
Aliases: CVE-2020-11113 GHSA-9vvp-fxw6-jcxr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). |
Affected by 1 other vulnerability. |
|
VCID-u87p-2xgz-e3fj
Aliases: CVE-2020-36187 GHSA-r695-7vr9-jgc2 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. |
Affected by 1 other vulnerability. |
|
VCID-uhnv-3cny-qkgx
Aliases: CVE-2020-36179 GHSA-9gph-22xh-8x98 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`. |
Affected by 1 other vulnerability. |
|
VCID-ukwd-7rkh-sfhj
Aliases: CVE-2020-35728 GHSA-5r5r-6hpj-8gg9 |
Deserialization of Untrusted Data FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). |
Affected by 1 other vulnerability. |
|
VCID-unwq-s63h-uuaw
Aliases: CVE-2018-5968 GHSA-w3f4-3q6j-rh82 |
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. |
Affected by 68 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-uygc-h93v-vuh8
Aliases: CVE-2020-14062 GHSA-c265-37vj-cwcc |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). |
Affected by 1 other vulnerability. |
|
VCID-v2pq-1qhm-4qb9
Aliases: CVE-2022-42004 GHSA-rgv9-q543-rqg4 |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
Affected by 1 other vulnerability. |
|
VCID-v6ek-y7cn-kycd
Aliases: CVE-2020-36518 GHSA-57j2-w4cx-62h2 |
Uncontrolled Resource Consumption jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
Affected by 1 other vulnerability. |
|
VCID-v84e-sf92-dqa1
Aliases: CVE-2017-7525 GHSA-qxxx-2pp7-5hmx |
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. |
Affected by 68 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-w51e-ntqd-8bbg
Aliases: CVE-2020-25649 GHSA-288c-cq4h-88gq |
XML External Entity (XXE) Injection in Jackson Databind A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. |
Affected by 1 other vulnerability. |
|
VCID-wdgx-34uc-2qa4
Aliases: CVE-2020-10672 GHSA-95cm-88f5-f2c7 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). |
Affected by 1 other vulnerability. |
|
VCID-wds4-urpb-euby
Aliases: CVE-2020-36186 GHSA-v585-23hc-c647 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`. |
Affected by 1 other vulnerability. |
|
VCID-wg36-q48g-mkds
Aliases: CVE-2019-14379 GHSA-6fpp-rgj9-8rwc |
Deserialization of untrusted data in FasterXML jackson-databind SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-x4fr-ena4-47fe
Aliases: CVE-2020-11620 GHSA-h4rc-386g-6m85 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). |
Affected by 1 other vulnerability. |
|
VCID-x6g1-qw1v-jbas
Aliases: CVE-2018-7489 GHSA-cggj-fvv3-cqwv |
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. |
Affected by 68 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-x8c2-2u1w-yyfn
Aliases: CVE-2019-14892 GHSA-cf6r-3wgc-h863 |
Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. |
Affected by 1 other vulnerability. |
|
VCID-xnyb-nuwm-pkdr
Aliases: CVE-2020-8840 GHSA-4w82-r329-3q67 |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. |
Affected by 1 other vulnerability. |
|
VCID-ygs8-4gxq-kygq
Aliases: CVE-2019-12384 GHSA-mph4-vhrx-mv67 |
Deserialization of Untrusted Data in FasterXML jackson-databind FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. |
Affected by 50 other vulnerabilities. |
|
VCID-yp37-9z2d-akaj
Aliases: CVE-2020-36180 GHSA-8c4j-34r4-xr8g |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. |
Affected by 1 other vulnerability. |
|
VCID-ypbt-p34k-hfbc
Aliases: CVE-2020-35490 GHSA-wh8g-3j2c-rqj5 |
Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. |
Affected by 1 other vulnerability. |
|
VCID-zdwv-ycey-myfc
Aliases: CVE-2018-12023 GHSA-6wqp-v4v6-c87c |
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. |
Affected by 68 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-ze79-6kcg-nfcp
Aliases: CVE-2020-14195 GHSA-mc6h-4qgp-37qh |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||