Lucene search
K

396 matches found

RedHat Linux
RedHat Linux
added 2020/05/18 10:24 a.m.2 views

jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

9.8CVSS7.4AI score0.04861EPSS
Exploits0References4
OSV
OSV
added 2020/05/15 6:59 p.m.3 views

GHSA-QMQC-X3R4-6V39 Polymorphic deserialization of malicious object in jackson-databind

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

9.8CVSS7.2AI score0.03958EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2020/05/15 6:59 p.m.154 views

Polymorphic deserialization of malicious object in jackson-databind

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

9.8CVSS2.6AI score0.03958EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2020/05/15 6:58 p.m.5 views

GHSA-CF6R-3WGC-H863 Polymorphic deserialization of malicious object in jackson-databind

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...

7.5CVSS7.3AI score0.0544EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2020/05/15 6:58 p.m.125 views

Polymorphic deserialization of malicious object in jackson-databind

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...

9.8CVSS9.2AI score0.0544EPSS
Exploits0References10Affected Software1
RedHat Linux
RedHat Linux
added 2020/04/28 4:10 p.m.4 views

jackson-databind: lacks certain net.sf.ehcache blocking

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...

9.8CVSS7.3AI score0.0864EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/04/28 4:10 p.m.3 views

jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the commons-dbcp gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

9.8CVSS7.4AI score0.05681EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/04/28 4:10 p.m.6 views

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

9.8CVSS7AI score0.04918EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/04/28 4:10 p.m.4 views

jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

9.8CVSS7.4AI score0.04861EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/04/28 4:10 p.m.3 views

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariConfig gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

9.8CVSS7AI score0.10676EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2020/04/16 7:46 p.m.5 views

jackson-databind: lacks certain net.sf.ehcache blocking

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...

9.8CVSS7.3AI score0.0864EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/04/16 7:46 p.m.5 views

jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the mysql gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

7.5CVSS7.4AI score0.21949EPSS
Exploits2References4
RedHat Linux
RedHat Linux
added 2020/04/14 1:24 p.m.3 views

jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the mysql gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

7.5CVSS7.4AI score0.21949EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2020/04/09 12:16 p.m.32 views

CVE-2018-14720

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. Mitigation The following conditions are needed for an exploit, we recommend avoiding all if possibl...

9.8CVSS5AI score0.07524EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2020/04/09 12:7 p.m.38 views

CVE-2018-19362

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code...

9.8CVSS4AI score0.10599EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2020/04/04 5:14 a.m.62 views

CVE-2017-7525

A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. Mitigation Mitigation to this problem is to not trigger polymorphic desrializatio...

9.8CVSS0.9AI score0.37925EPSS
Exploits7References1
RedhatCVE
RedhatCVE
added 2020/04/01 2:56 a.m.47 views

CVE-2019-14893

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

9.8CVSS1.8AI score0.03958EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2020/03/26 3:46 p.m.3 views

jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution

A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

5.9CVSS7.8AI score0.45205EPSS
Exploits2References4
RedHat Linux
RedHat Linux
added 2020/03/26 3:46 p.m.10 views

jackson-databind: default typing mishandling leading to remote code execution

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLAS...

9.8CVSS7.4AI score0.08045EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/03/23 8:13 p.m.7 views

jackson-databind: lacks certain net.sf.ehcache blocking

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...

9.8CVSS7.3AI score0.0864EPSS
Exploits0References4
Rows per page
Query Builder