{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41825?format=json","vulnerability_id":"VCID-r92s-4m4x-dqc7","summary":"Unsafe Deserialization in jackson-databind\nFasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.","aliases":[{"alias":"CVE-2020-36183"},{"alias":"GHSA-9m6f-7xcq-8vf8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59746?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.5"},{"url":"http://public2.vulnerablecode.io/api/packages/59594?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58289?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5887-pcyq-nkht"},{"vulnerability":"VCID-8kwc-sxvr-skgp"},{"vulnerability":"VCID-fkct-tzwg-mkh8"},{"vulnerability":"VCID-kdkp-1ucy-w3g1"},{"vulnerability":"VCID-nz1v-4hgs-6yge"},{"vulnerability":"VCID-r92s-4m4x-dqc7"},{"vulnerability":"VCID-xqz3-k7ts-juck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/54992?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18u1-9nc1-2feh"},{"vulnerability":"VCID-39mg-y1k8-xbf9"},{"vulnerability":"VCID-8mns-fyju-dqdr"},{"vulnerability":"VCID-d6ez-jva8-hyag"},{"vulnerability":"VCID-p52x-ese3-qkha"},{"vulnerability":"VCID-r92s-4m4x-dqc7"},{"vulnerability":"VCID-rg7k-kaxv-2ubx"},{"vulnerability":"VCID-s61k-e43h-13b5"},{"vulnerability":"VCID-t79w-jeyp-suaw"},{"vulnerability":"VCID-u37s-5nn4-wqbx"},{"vulnerability":"VCID-wqg8-5kwe-vuem"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0"}],"references":[{"reference_url":"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","reference_id":"","reference_type":"","scores":[],"url":"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"reference_url":"https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29"},{"reference_url":"https://github.com/FasterXML/jackson-databind/issues/3003","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FasterXML/jackson-databind/issues/3003"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210205-0005","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183","reference_id":"CVE-2020-36183","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36183"},{"reference_url":"https://github.com/advisories/GHSA-9m6f-7xcq-8vf8","reference_id":"GHSA-9m6f-7xcq-8vf8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9m6f-7xcq-8vf8"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r92s-4m4x-dqc7"}