25 matches found
CVE-2026-29062 jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constrai...
EUVD-2018-0616
Malware in sbrugna...
Security Bulletin: Vulnerability in jackson-core affects IBM Cloud Pak System[CVE-2025-52999]
Summary Vulnerability found for potential stackoverflowError in jackson-core affects IBM Cloud Pak System. Vulnerability was addressed by IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2025-52999 DESCRIPTION: jackson-core contains core low-level incremental "streaming" parser and generator...
CVE-2025-52999 jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data
jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly...
Amazon Linux 2 : aws-kinesis-agent (ALAS-2025-2788)
The version of aws-kinesis-agent installed on the remote host is prior to 2.0.10-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2788 advisory. In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in...
PT-2024-40687 · Fasterxml · Jackson Dataformat Cbor
Name of the Vulnerable Software and Affected Versions: Jackson dataformat CBOR affected versions not specified Description: The issue is related to a security exception in the Jackson dataformat CBOR library. The crash occurs in the java.base/java.util.Arrays.copyOf method, which is called by...
Security Bulletin: Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis
Summary There are multiple vulnerabilities in various versions of Data-Binding functionality for Jackson that affect IBM Operations Analytics - Log Analysis. It has been fixed. The vulnerabilities are listed in the Vulnerability Details section below. Vulnerability Details CVEID:CVE-2020-25649...
Security Bulletin: IBM Sterling Global Mailbox vulnerable to sensitive information exposure due to Jackson Data Mapper (CVE-2019-10172)
Summary Data mapper for Jackson is shipped with IBM Sterling Global Mailbox. Sensitive information exposure due to XXE error impacts Data mapper for Jackson. Remediation is available for the issues. Vulnerability Details CVEID: CVE-2019-10172 DESCRIPTION: Jackson-mapper-asl could allow a remote...
Security Bulletin: Jackson Data Mapper Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-10172)
Summary IBM Sterling B2B Integrator has addressed the security vulnerability. Vulnerability Details CVEID: CVE-2019-10172 DESCRIPTION: Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity XXE error when processing XML data. By sending ...
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32
The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration...
Unspecified vulnerability in FasterXML jackson-databind (CNVD-2021-03346)
FasterXML jackson-databind is a generic data binding package for Jackson 2.x. A security vulnerability exists in FasterXML jackson-databind. No details of the vulnerability are provided at this time...
The vulnerability of the Jackson-databind library, related to the restoration of unreliable data in memory, allows an intruder to gain unauthorized access to protected information or cause a service failure.
The vulnerability of the Jackson-databind library relates to the restoration of unreliable data in memory. Exploiting this vulnerability can allow an attacker, operating remotely, to gain unauthorized access to protected information or cause service failures...
GHSA-V3XW-C963-F5HC jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq. aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms...
jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
[SECURITY] Fedora 31 Update: jackson-annotations-2.10.0-1.fc31
Core annotations used for value types, used by Jackson data-binding package...
[SECURITY] Fedora 31 Update: jackson-databind-2.10.0-1.fc31
The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration...
DEBIAN-CVE-2019-17531
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled either globally or for a specific property for an externally exposed JSON endpoint and the service has the apache-log4j-extra version 1.2.x jar in the classpath, and an...
[SECURITY] Fedora 30 Update: jackson-annotations-2.9.9-1.fc30
Core annotations used for value types, used by Jackson data-binding package...
[SECURITY] Fedora 30 Update: jackson-databind-2.9.9.3-1.fc30
The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration...