22 matches found
CVE-2026-40899
DataEase
Apache Spark Deserialization Vulnerability
Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computing from the Apache Foundation. Apache Spark suffers from a deserialization vulnerability. The vulnerability stems from the Spark History Web UI's overly lax Jackson deserialization of...
EUVD-2025-208669
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Jackson implementation in the Spark History Server web UI. An attacker who can write event logs can achieve code execution by injecting malicious JSON payloads into event log files, which are the...
CVE-2025-54920
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...
CVE-2025-54920 Apache Spark: Spark History Server Code Execution Vulnerability
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...
CVE-2025-54920
Affected software: Apache Spark History Server (Spark History Web UI). Vulnerability details: In Spark 3.5.4 and earlier (and other versions affected before 3.5.7 and 4.0.1), the History Server deserializes event log data using Jackson with polymorphic types, allowing an attacker with write acces...
Apache Spark 代码问题漏洞
Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computing from the Apache Foundation. Apache Spark suffers from a deserialization vulnerability. The vulnerability stems from the Spark History Web UI's overly lax Jackson deserialization of...
PT-2026-25504
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...
Exploit for Incomplete List of Disallowed Inputs in Fasterxml Jackson-Databind
🔥 Jackson RCE Exploiter - Enterprise Bypass Edition !Versi...
PT-2025-34835 · Git · Json2Avro
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=438873397 Crash type: Security exception Crash state: com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deser com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.mapOb...
SUSE CVE-2018-19361
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization...
GHSA-QJW2-HR98-QGFH Unsafe Deserialization in jackson-databind
FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration...
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
CVE-2020-8840 Jackson-databind远程代码执行漏洞(CVE-2020-8840)分析复现环境代码。 项目包含: jackson-databind、Fastjson中payload WebServer恶意类 编译好的marshalsec-0.0.3-SNAPSHOT-all.jar 漏洞简介 Jackson-databind远程代码执行漏洞(CVE-2020-8840),攻击者可利用xbean-reflect的利用链(org.apache.xbean.propertyeditor.JndiConverter)触发JNDI远程类加载从而达到远程代码执行。...
GHSA-6WQP-V4V6-C87C Deserialization of Untrusted Data
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled either globally or for a specific property, the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to ma...
UBUNTU-CVE-2018-1000873
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service DoS. This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the...
GHSA-VVJC-Q5VR-52Q6 Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various...
Remote Code Execution (RCE)
jackson-databind is vulnerable to remote code execution RCE attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 and CVE-2017-17485 to bypass the blacklist during Jackson deserialization. In order to be vulnerable to this attack, either the use of @JsonTypeInfouse =...
CVE-2017-4995
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by...
FasterXML Jackson-databind Deserialization Vulnerability
FasterXML Jackson is a U.S. FasterXML company for Java data processing tools . Jackson-databind is one of the components with data binding capabilities . A remote code execution vulnerability exists in FasterXML Jackson-databind. An attacker could exploit this vulnerability to execute arbitrary...