ALT-PU-2021-1792-2 — jackson-databind

BDU:2019-04081

CRITICAL9.8

Уязвимость функции FasterXML (com.zaxxer.hikari.HikariDataSource) Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой

Published: 2019-11-19Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2019-16335

BDU:2019-04085

CRITICAL9.8

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой

Published: 2019-11-19Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2019-14540

BDU:2019-04776

CRITICAL9.8

Уязвимость компонентов SharedPoolDataSource и PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю получить несанкционированный доступ к информации или вызвать отказ в обслуживании

Published: 2019-12-22Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2019-16942

BDU:2019-04777

CRITICAL9.8

Уязвимость компонента P6DataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю получить несанкционированный доступ к информации или вызвать отказ в обслуживании

Published: 2019-12-22Modified: 2023-11-21

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-16943

BDU:2019-04778

CRITICAL9.8

Уязвимость реализации механизма полиморфной типизации данных библиотеки jackson-databind, позволяющая нарушителю выполнить вредоносную нагрузку

Published: 2019-12-22Modified: 2023-11-21

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

BDU:2020-00566

CRITICAL9.8

Уязвимость реализации механизма полиморфной типизации данных библиотеки FasterXML Jackson-databind, позволяющая нарушителю получить полный контроль над приложением

Published: 2020-02-11Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-17267

BDU:2020-00688

CRITICAL9.8

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой

Published: 2020-02-24Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-17531

BDU:2020-02242

CRITICAL9.8

Уязвимость библиотеки Jackson-databind, связанная с восстановлением недостоверных данных в памяти, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании

Published: 2020-05-21Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-20330

BDU:2020-03616

CRITICAL9.8

Уязвимость компонента br.com.anteros.dbcp.AnterosDBCPConfig Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-07-31Modified: 2025-07-01

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-9548

BDU:2020-03617

CRITICAL9.8

Уязвимость компонента com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-07-31Modified: 2025-07-01

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-9547

BDU:2020-03618

CRITICAL9.8

Уязвимость компонента org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-07-31Modified: 2025-07-01

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-9546

BDU:2020-04358

HIGH8.1

Уязвимость компонента br.com.anteros.dbcp.AnterosDBCPDataSource библиотеки FasterXML jackson-databind, позволяющая нарушителю оказать воздействие на целостность данных, получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании

Published: 2020-09-22Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-24616

BDU:2020-04467

CRITICAL9.8

Уязвимость компонента commons-jelly библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-09-29Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2020-11620

BDU:2020-04468

CRITICAL9.8

Уязвимость компонента spring-aop библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-09-29Modified: 2025-07-11

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2020-11619

BDU:2020-04507

CRITICAL9.8

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю выполнить произвольный код

Published: 2020-10-01Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-14893

BDU:2020-04626

HIGH8.1

Уязвимость компонента com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-10-14Modified: 2025-07-11

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-14062

BDU:2020-04627

HIGH8.1

Уязвимость компонента oadd.org.apache.xalan.lib.sql.JNDIConnectionPool библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-10-14Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-14060

BDU:2020-04628

HIGH8.1

Уязвимость компонента weblogic/oracle-aqjms библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-10-14Modified: 2025-07-11

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-14061

BDU:2020-04944

HIGH8.1

Уязвимость компонента org.jsecurity библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2020-11-02Modified: 2025-07-11

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-14195

BDU:2021-00714

HIGH8.8

Уязвимость компонента org.aoju.bus.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-03-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-10673

BDU:2021-00725

HIGH8.8

Уязвимость компонента org.aoju.bus.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-07-11

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-10968

BDU:2021-00763

HIGH8.8

Уязвимость компонента org.apache.activemq библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-03-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-11111

BDU:2021-00767

HIGH8.8

Уязвимость класса ignite-jta библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2023-09-13

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-10650

BDU:2021-00768

HIGH8.8

Уязвимость компонента org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-03-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-10672

BDU:2021-00771

HIGH8.8

Уязвимость библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-07-11

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-10969

BDU:2021-00772

HIGH8.8

Уязвимость компонента org.apache.openjpa.ee.WASRegistryManagedRuntime библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-03-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-11113

BDU:2021-00840

HIGH8.8

Уязвимость компонента org.apache.commons.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-16Modified: 2025-03-05

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-11112

BDU:2021-00882

HIGH8.1

Уязвимость функции в com.pastdev.httpcomponents.configuration.JndiConfiguration библиотеки Jackson-databind проекта FasterXML , позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-02-23Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-24750

BDU:2021-01045

HIGH8.1

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-03-02Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-35728

BDU:2021-01572

HIGH7.5

Уязвимость компонента xbean-reflect/JNDI библиотеки Jackson-databind, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2021-03-30Modified: 2025-07-01

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2020-8840

BDU:2021-02829

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36186

BDU:2021-02830

HIGH8.1

Уязвимость компонента oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36179

BDU:2021-02831

HIGH8.1

Уязвимость компонента org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36183

BDU:2021-02832

HIGH8.1

Уязвимость компонента org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36180

BDU:2021-02833

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36184

BDU:2021-02834

HIGH8.1

Уязвимость компонента com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36188

BDU:2021-02835

HIGH8.1

Уязвимость компонента com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36189

BDU:2021-02836

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36181

BDU:2021-02837

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36185

BDU:2021-02838

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36187

BDU:2021-02839

HIGH8.1

Уязвимость компонента org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2021-06-04Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-36182

BDU:2021-02953

CRITICAL9.8

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

Published: 2021-06-10Modified: 2025-03-05

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2019-14892

BDU:2022-03804

HIGH8.1

Уязвимость компонента org.apache.commons.dbcp2.datasources.PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Published: 2022-06-27Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

References

CVE-2020-35490

BDU:2024-00113

HIGH8.1

Уязвимость библиотеки jackson-databind, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

Published: 2024-01-10Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2020-35491

BDU:2024-00181

HIGH8.1

Уязвимость библиотеки jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

Published: 2024-01-11Modified: 2025-03-05

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2021-20190

CVE-2019-14540

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Published: 2019-09-15Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-14892

CRITICAL9.8

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Published: 2020-03-02Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-14893

CRITICAL9.8

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Published: 2020-03-02Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-16335

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Published: 2019-09-15Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-16942

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Published: 2019-10-01Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-16943

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Published: 2019-10-01Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-17267

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Published: 2019-10-07Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-17531

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Published: 2019-10-12Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-20330

CRITICAL9.8

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Published: 2020-01-03Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-10650

HIGH8.1

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Published: 2022-12-26Modified: 2025-08-19

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-10672

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

Published: 2020-03-18Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-10673

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Published: 2020-03-18Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-10968

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Published: 2020-03-26Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-10969

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Published: 2020-03-26Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-11111

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Published: 2020-03-31Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-11112

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Published: 2020-03-31Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-11113

HIGH8.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Published: 2020-03-31Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

CVE-2020-11619

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Published: 2020-04-07Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-11620

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Published: 2020-04-07Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-14060

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Published: 2020-06-14Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-14061

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Published: 2020-06-14Modified: 2025-08-27

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-14062

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Published: 2020-06-14Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-14195

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Published: 2020-06-16Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-24616

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Published: 2020-08-25Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-24750

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Published: 2020-09-17Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-35490

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Published: 2020-12-17Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-35491

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Published: 2020-12-17Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-35728

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Published: 2020-12-27Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36179

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Published: 2021-01-07Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36180

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Published: 2021-01-07Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36181

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36182

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Published: 2021-01-07Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36183

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Published: 2021-01-07Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36184

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36185

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36186

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36187

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36188

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-36189

HIGH8.1

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Published: 2021-01-06Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-8840

CRITICAL9.8

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Published: 2020-02-10Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-9546

CRITICAL9.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Published: 2020-03-02Modified: 2026-04-29

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-9547

CRITICAL9.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Published: 2020-03-02Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-9548

CRITICAL9.8

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Published: 2020-03-02Modified: 2024-11-21

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2021-20190

HIGH8.1

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Published: 2021-01-19Modified: 2025-08-27

CVSS 2.0HIGH 8.3

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:C

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-27xj-rqx5-2255

HIGH8.1

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2021-08-26

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-4w82-r329-3q67

CRITICAL9.8

Deserialization of Untrusted Data in jackson-databind

Published: 2020-03-04Modified: 2023-06-08

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-58pp-9c76-5625

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-06-11Modified: 2021-08-30

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-5949-rw7g-wx7w

HIGH8.1

Deserialization of untrusted data in jackson-databind

Published: 2021-01-21Modified: 2024-03-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-5p34-5m6p-p58g

CRITICAL9.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-04-24Modified: 2021-08-25

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-5r5r-6hpj-8gg9

HIGH8.1

Serialization gadget exploit in jackson-databind

Published: 2021-12-09Modified: 2022-02-09

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-758m-v56v-grj4

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-04-24Modified: 2024-06-25

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-85cw-hj65-qqv9

CRITICAL9.8

Polymorphic Typing issue in FasterXML jackson-databind

Published: 2019-09-23Modified: 2023-09-13

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-89qr-369f-5m5x

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-8c4j-34r4-xr8g

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-8w26-6f25-cm9x

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-95cm-88f5-f2c7

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-04-23Modified: 2024-07-04

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-9gph-22xh-8x98

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-9m6f-7xcq-8vf8

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-9vvp-fxw6-jcxr

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2024-03-15

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-c265-37vj-cwcc

HIGH8.1

Deserialization of untrusted data in Jackson Databind

Published: 2020-06-18Modified: 2024-06-25

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-c2q3-4qrh-fm48

HIGH8.1

Deserialization of untrusted data in Jackson Databind

Published: 2020-06-18Modified: 2021-10-22

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-cf6r-3wgc-h863

HIGH7.5

Polymorphic deserialization of malicious object in jackson-databind

Published: 2020-05-15Modified: 2023-09-14

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

GHSA-cvm9-fjm9-3572

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-f3j5-rmmp-3fc5

CRITICAL9.8

Improper Input Validation in jackson-databind

Published: 2020-06-15Modified: 2023-09-13

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-f9xh-2qgp-cq57

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-fmmc-742q-jg75

CRITICAL9.8

jackson-databind polymorphic typing issue

Published: 2019-11-13Modified: 2023-09-14

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-fqwf-pjwf-7vqv

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2024-07-04

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-gjmw-vf9h-g25v

CRITICAL9.8

jackson-databind polymorphic typing issue

Published: 2019-11-13Modified: 2023-09-14

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-gww7-p5w4-wrfv

CRITICAL9.8

Deserialization of Untrusted Data in jackson-databind

Published: 2020-03-04Modified: 2024-03-15

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-h3cw-g4mq-c5x2

HIGH8.1

Code Injection in jackson-databind

Published: 2021-12-09Modified: 2022-04-22

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-h4rc-386g-6m85

HIGH8.1

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-04-23Modified: 2024-03-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-h822-r4r5-v8jg

CRITICAL9.8

Polymorphic Typing issue in FasterXML jackson-databind

Published: 2019-09-23Modified: 2024-03-15

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-j823-4qch-3rgm

HIGH8.1

Deserialization of untrusted data in Jackson Databind

Published: 2020-06-18Modified: 2024-03-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-m6x4-97wx-4q27

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2022-02-09

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-mc6h-4qgp-37qh

HIGH8.1

Deserialization of untrusted data in Jackson Databind

Published: 2020-06-18Modified: 2024-03-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-mx7p-6679-8g3q

CRITICAL9.8

Polymorphic Typing in FasterXML jackson-databind

Published: 2019-10-28Modified: 2024-03-15

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-p43x-xfjf-5jhr

CRITICAL9.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2024-03-15

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-q93h-jc49-78gg

CRITICAL9.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2023-09-14

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-qjw2-hr98-qgfh

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2022-04-09

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-qmqc-x3r4-6v39

NONE

Polymorphic deserialization of malicious object in jackson-databind

Published: 2020-05-15Modified: 2020-04-22

References

GHSA-r3gr-cxrf-hg25

HIGH8.1

Serialization gadgets exploit in jackson-databind

Published: 2021-12-09Modified: 2024-06-25

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-r695-7vr9-jgc2

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2022-02-09

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-rf6r-2c4q-2vwg

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2024-03-15

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-rpr3-cw39-3pxh

HIGH8.1

jackson-databind vulnerable to unsafe deserialization

Published: 2022-07-15Modified: 2025-04-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-v3xw-c963-f5hc

HIGH8.8

jackson-databind mishandles the interaction between serialization gadgets and typing

Published: 2020-05-15Modified: 2021-08-25

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-v585-23hc-c647

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-11-19Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-vfqx-33qm-g869

HIGH8.1

Unsafe Deserialization in jackson-databind

Published: 2021-12-09Modified: 2023-09-14

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-wh8g-3j2c-rqj5

HIGH8.1

Serialization gadgets exploit in jackson-databind

Published: 2021-12-09Modified: 2024-03-15

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Package update jackson-databind in branch sisyphus

Closed issues (133)

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой

Уязвимость реализации механизма полиморфной типизации данных библиотеки jackson-databind, позволяющая нарушителю выполнить вредоносную нагрузку

Уязвимость реализации механизма полиморфной типизации данных библиотеки FasterXML Jackson-databind, позволяющая нарушителю получить полный контроль над приложением

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой

Уязвимость компонента br.com.anteros.dbcp.AnterosDBCPConfig Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента commons-jelly библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента spring-aop библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента oadd.org.apache.xalan.lib.sql.JNDIConnectionPool библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента weblogic/oracle-aqjms библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента org.jsecurity библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента org.apache.commons.dbcp2.datasources.PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код

Уязвимость библиотеки jackson-databind, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

Уязвимость библиотеки jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

jackson-databind mishandles the interaction between serialization gadgets and typing

Deserialization of Untrusted Data in jackson-databind

jackson-databind mishandles the interaction between serialization gadgets and typing

Deserialization of untrusted data in jackson-databind

jackson-databind mishandles the interaction between serialization gadgets and typing

Serialization gadget exploit in jackson-databind

jackson-databind mishandles the interaction between serialization gadgets and typing

Polymorphic Typing issue in FasterXML jackson-databind

Unsafe Deserialization in jackson-databind

Unsafe Deserialization in jackson-databind

Unsafe Deserialization in jackson-databind

jackson-databind mishandles the interaction between serialization gadgets and typing

Unsafe Deserialization in jackson-databind

Unsafe Deserialization in jackson-databind

jackson-databind mishandles the interaction between serialization gadgets and typing

Deserialization of untrusted data in Jackson Databind

Deserialization of untrusted data in Jackson Databind

Polymorphic deserialization of malicious object in jackson-databind

Unsafe Deserialization in jackson-databind

Improper Input Validation in jackson-databind

Unsafe Deserialization in jackson-databind

jackson-databind polymorphic typing issue

jackson-databind mishandles the interaction between serialization gadgets and typing

jackson-databind polymorphic typing issue

Deserialization of Untrusted Data in jackson-databind