Lucene search

K
osvGoogleOSV:GHSA-4W82-R329-3Q67
HistoryMar 04, 2020 - 8:52 p.m.

Deserialization of Untrusted Data in jackson-databind

2020-03-0420:52:14
Google
osv.dev
38
fasterxml
deserialization
vulnerability
jackson-databind
xbean-reflect
jndi blocking
apache.

EPSS

0.03

Percentile

91.0%

FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

References