{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41835?format=json","vulnerability_id":"VCID-fqzk-v2gt-s7am","summary":"Unsafe Deserialization in jackson-databind\nFasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.","aliases":[{"alias":"CVE-2020-36182"},{"alias":"GHSA-89qr-369f-5m5x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59746?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.5"},{"url":"http://public2.vulnerablecode.io/api/packages/59594?format=json","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8"}],"affected_packages":[],"references":[{"reference_url":"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","reference_id":"","reference_type":"","scores":[],"url":"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"},{"reference_url":"https://github.com/FasterXML/jackson-databind","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FasterXML/jackson-databind"},{"reference_url":"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b"},{"reference_url":"https://github.com/FasterXML/jackson-databind/issues/3004","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FasterXML/jackson-databind/issues/3004"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210205-0005","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210205-0005"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182","reference_id":"CVE-2020-36182","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36182"},{"reference_url":"https://github.com/advisories/GHSA-89qr-369f-5m5x","reference_id":"GHSA-89qr-369f-5m5x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-89qr-369f-5m5x"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqzk-v2gt-s7am"}