Lucene search

K
osvGoogleOSV:GHSA-QR7J-H6GG-JMGC
HistoryJul 16, 2019 - 5:42 p.m.

Deserialization of Untrusted Data in jackson-databind

2019-07-1617:42:21
Google
osv.dev
17

EPSS

0.571

Percentile

97.7%

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

References