Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/tfm-rubygem-katello@3.12.0.41-1?arch=el7sat
purl pkg:rpm/redhat/tfm-rubygem-katello@3.12.0.41-1?arch=el7sat
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.5
Vulnerabilities affecting this package (13)
Vulnerability Summary Fixed by
VCID-3qjf-azsa-fbek
Aliases:
CVE-2020-14060
GHSA-j823-4qch-3rgm
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). There are no reported fixed by versions.
VCID-3wa1-khqf-x7fv
Aliases:
CVE-2020-10968
GHSA-rf6r-2c4q-2vwg
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). There are no reported fixed by versions.
VCID-96pq-m4f3-zbad
Aliases:
CVE-2019-20330
GHSA-gww7-p5w4-wrfv
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking. There are no reported fixed by versions.
VCID-9qdt-7p83-4yd8
Aliases:
CVE-2020-10969
GHSA-758m-v56v-grj4
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. There are no reported fixed by versions.
VCID-9wej-f7zx-pfeq
Aliases:
CVE-2019-12086
GHSA-5ww9-j83m-q7qx
Information exposure in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. There are no reported fixed by versions.
VCID-a5sk-5grx-eyaf
Aliases:
CVE-2020-11619
GHSA-27xj-rqx5-2255
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). There are no reported fixed by versions.
VCID-bydt-bkf4-rbh2
Aliases:
CVE-2020-9546
GHSA-5p34-5m6p-p58g
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). There are no reported fixed by versions.
VCID-jvp6-892x-nkc7
Aliases:
CVE-2020-9548
GHSA-p43x-xfjf-5jhr
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). There are no reported fixed by versions.
VCID-pnt3-1ssq-tqau
Aliases:
CVE-2020-14061
GHSA-c2q3-4qrh-fm48
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). There are no reported fixed by versions.
VCID-ruae-hqdg-m7ek
Aliases:
CVE-2020-9547
GHSA-q93h-jc49-78gg
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). There are no reported fixed by versions.
VCID-uygc-h93v-vuh8
Aliases:
CVE-2020-14062
GHSA-c265-37vj-cwcc
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). There are no reported fixed by versions.
VCID-xnyb-nuwm-pkdr
Aliases:
CVE-2020-8840
GHSA-4w82-r329-3q67
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. There are no reported fixed by versions.
VCID-ze79-6kcg-nfcp
Aliases:
CVE-2020-14195
GHSA-mc6h-4qgp-37qh
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:19:42.107189+00:00 RedHat Importer Affected by VCID-9wej-f7zx-pfeq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12086.json 38.0.0
2026-04-01T14:14:31.898507+00:00 RedHat Importer Affected by VCID-96pq-m4f3-zbad https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20330.json 38.0.0
2026-04-01T14:11:50.969424+00:00 RedHat Importer Affected by VCID-jvp6-892x-nkc7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9548.json 38.0.0
2026-04-01T14:11:26.873601+00:00 RedHat Importer Affected by VCID-ruae-hqdg-m7ek https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9547.json 38.0.0
2026-04-01T14:11:02.464454+00:00 RedHat Importer Affected by VCID-bydt-bkf4-rbh2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9546.json 38.0.0
2026-04-01T14:10:38.025842+00:00 RedHat Importer Affected by VCID-xnyb-nuwm-pkdr https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8840.json 38.0.0
2026-04-01T14:10:19.724652+00:00 RedHat Importer Affected by VCID-9qdt-7p83-4yd8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10969.json 38.0.0
2026-04-01T14:09:38.025126+00:00 RedHat Importer Affected by VCID-3wa1-khqf-x7fv https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10968.json 38.0.0
2026-04-01T14:09:19.377883+00:00 RedHat Importer Affected by VCID-a5sk-5grx-eyaf https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11619.json 38.0.0
2026-04-01T14:07:00.902270+00:00 RedHat Importer Affected by VCID-pnt3-1ssq-tqau https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14061.json 38.0.0
2026-04-01T14:06:52.331892+00:00 RedHat Importer Affected by VCID-uygc-h93v-vuh8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14062.json 38.0.0
2026-04-01T14:06:47.106454+00:00 RedHat Importer Affected by VCID-3qjf-azsa-fbek https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14060.json 38.0.0
2026-04-01T14:06:20.744966+00:00 RedHat Importer Affected by VCID-ze79-6kcg-nfcp https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14195.json 38.0.0