396 matches found
jackson-databind: lacks certain net.sf.ehcache blocking
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...
jackson-databind: lacks certain net.sf.ehcache blocking
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...
jackson-databind: lacks certain net.sf.ehcache blocking
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...
jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the commons-dbcp gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: Serialization gadgets in classes of the xalan package
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...
jackson-databind: lacks certain net.sf.ehcache blocking
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...
jackson-databind: Serialization gadgets in classes of the ehcache package
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...
jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the mysql gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...
jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariConfig gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: Serialization gadgets in classes of the commons-configuration package
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...
Remote Code Execution (RCE)
system.data.common is vulnerable to remote code execution RCE. The vulnerability exists as it allows unrestricted polymorphic deserialization in DataSet without proper validation...
jackson-databind: exfiltration/XXE in some JDK classes
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
jackson-databind: arbitrary code execution in slf4j-ext class
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code...
jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization...
jackson-databind: improper polymorphic deserialization in jboss-common-core class
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code...
jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code...
jackson-databind: improper polymorphic deserialization in openjpa class
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code...