Deserialization of Untrusted Data in jackson-databind

2020-03-04T20:52:14
ID GHSA-4W82-R329-3Q67
Type github
Reporter GitHub Advisory Database
Modified 2020-03-04T20:52:14

Description

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.