Search for packages
| purl | pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16af-yv1z-xufy
Aliases: CVE-2019-17531 GHSA-gjmw-vf9h-g25v |
jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. |
Affected by 30 other vulnerabilities. |
|
VCID-5te6-415m-c7df
Aliases: CVE-2020-24750 GHSA-qjw2-hr98-qgfh |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. |
Affected by 11 other vulnerabilities. |
|
VCID-75mz-c1ds-vqed
Aliases: CVE-2018-14718 GHSA-645p-88qh-w398 |
Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `slf4j-ext` class from polymorphic deserialization. |
Affected by 43 other vulnerabilities. |
|
VCID-8h7y-y4pv-cyd3
Aliases: CVE-2020-10650 GHSA-rpr3-cw39-3pxh GMS-2022-2955 |
jackson-databind vulnerable to unsafe deserialization The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`. |
Affected by 17 other vulnerabilities. |
|
VCID-8jw8-6tev-aqgm
Aliases: CVE-2018-1000873 GHSA-h4x4-5qp2-wp46 |
Improper Input Validation Fasterxml Jackson does not properly validate user input leading to a DoS. Specifically, deserializing malicious input of very large values in the nanoseconds field of a time value. |
Affected by 39 other vulnerabilities. |
|
VCID-8tmq-zbmb-m7h4
Aliases: CVE-2019-16943 GHSA-fmmc-742q-jg75 |
jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
Affected by 30 other vulnerabilities. |
|
VCID-9h46-72hw-bkcr
Aliases: CVE-2022-42003 GHSA-jjjh-jjxp-wpff |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9qdt-7p83-4yd8
Aliases: CVE-2020-10969 GHSA-758m-v56v-grj4 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. |
Affected by 24 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-avut-gmwd-jqfp
Aliases: CVE-2019-16942 GHSA-mx7p-6679-8g3q |
Polymorphic Typing in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
Affected by 30 other vulnerabilities. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). |
Affected by 24 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-bypv-wfhs-sbe4
Aliases: CVE-2019-14540 GHSA-h822-r4r5-v8jg |
Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`. |
Affected by 33 other vulnerabilities. |
|
VCID-cytp-mr4h-g3ds
Aliases: CVE-2020-36184 GHSA-m6x4-97wx-4q27 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. |
Affected by 3 other vulnerabilities. |
|
VCID-fafy-ugq3-cfbn
Aliases: CVE-2018-14721 GHSA-9mxf-g3x6-wv74 |
Server-Side Request Forgery (SSRF) FasterXML jackson-databind might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the `axis2-jaxws` class from polymorphic deserialization. |
Affected by 43 other vulnerabilities. |
|
VCID-g6up-yqg8-nbep
Aliases: CVE-2018-14719 GHSA-4gq5-ch57-c2mg |
Deserialization of Untrusted Data FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `blaze-ds-opt` and `blaze-ds-core` classes from polymorphic deserialization. |
Affected by 43 other vulnerabilities. |
|
VCID-hwnx-vf4v-f3db
Aliases: CVE-2020-24616 GHSA-h3cw-g4mq-c5x2 |
Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). |
Affected by 11 other vulnerabilities. |
|
VCID-jcgb-bewy-4kff
Aliases: CVE-2020-36185 GHSA-8w26-6f25-cm9x |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`. |
Affected by 3 other vulnerabilities. |
|
VCID-jx9y-fyfm-bqdr
Aliases: CVE-2019-16335 GHSA-85cw-hj65-qqv9 |
Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. |
Affected by 33 other vulnerabilities. |
|
VCID-svkb-adja-qfef
Aliases: CVE-2019-17267 GHSA-f3j5-rmmp-3fc5 |
Improper Input Validation in jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. |
Affected by 33 other vulnerabilities. |
|
VCID-sw29-epz3-g7ep
Aliases: CVE-2018-14720 GHSA-x2w5-5m2g-7h5m |
Improper Restriction of XML External Entity Reference FasterXML jackson-databind might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. |
Affected by 43 other vulnerabilities. |
|
VCID-swqd-uk56-wkat
Aliases: CVE-2020-35491 GHSA-r3gr-cxrf-hg25 |
Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. |
Affected by 3 other vulnerabilities. |
|
VCID-u87p-2xgz-e3fj
Aliases: CVE-2020-36187 GHSA-r695-7vr9-jgc2 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. |
Affected by 3 other vulnerabilities. |
|
VCID-ukwd-7rkh-sfhj
Aliases: CVE-2020-35728 GHSA-5r5r-6hpj-8gg9 |
Deserialization of Untrusted Data FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). |
Affected by 3 other vulnerabilities. |
|
VCID-v2pq-1qhm-4qb9
Aliases: CVE-2022-42004 GHSA-rgv9-q543-rqg4 |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-v6ek-y7cn-kycd
Aliases: CVE-2020-36518 GHSA-57j2-w4cx-62h2 |
Uncontrolled Resource Consumption jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-wds4-urpb-euby
Aliases: CVE-2020-36186 GHSA-v585-23hc-c647 |
Unsafe Deserialization in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`. |
Affected by 3 other vulnerabilities. |
|
VCID-ypbt-p34k-hfbc
Aliases: CVE-2020-35490 GHSA-wh8g-3j2c-rqj5 |
Serialization gadgets exploit in jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-16af-yv1z-xufy | jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. |
CVE-2019-17531
GHSA-gjmw-vf9h-g25v |
| VCID-8tmq-zbmb-m7h4 | jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
CVE-2019-16943
GHSA-fmmc-742q-jg75 |
| VCID-96pq-m4f3-zbad | Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking. |
CVE-2019-20330
GHSA-gww7-p5w4-wrfv |
| VCID-avut-gmwd-jqfp | Polymorphic Typing in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
CVE-2019-16942
GHSA-mx7p-6679-8g3q |
| VCID-bypv-wfhs-sbe4 | Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`. |
CVE-2019-14540
GHSA-h822-r4r5-v8jg |
| VCID-jx9y-fyfm-bqdr | Polymorphic Typing issue in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. |
CVE-2019-16335
GHSA-85cw-hj65-qqv9 |
| VCID-svkb-adja-qfef | Improper Input Validation in jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. |
CVE-2019-17267
GHSA-f3j5-rmmp-3fc5 |
| VCID-tm7y-tnx3-43dq | Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. |
CVE-2019-14893
GHSA-qmqc-x3r4-6v39 |
| VCID-x8c2-2u1w-yyfn | Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. |
CVE-2019-14892
GHSA-cf6r-3wgc-h863 |
| VCID-xnyb-nuwm-pkdr | Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. |
CVE-2020-8840
GHSA-4w82-r329-3q67 |