396 matches found
jackson-databind: default typing mishandling leading to remote code execution
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLAS...
jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
RHEL 8 : opendaylight (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jackson-databind: Serialization gadgets in classes of the ehcache package CVE-2019-17267 - A flaw was...
RHEL 7 : rh-maven35-jackson-databind (RHSA-2019:0782)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0782 advisory. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API...
Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to FasterXML jackson-databind
Summary IBM B2B Advanced Communications has addressed vulnerabilities in jackson-databind shipped with product. Vulnerability Details CVEID:CVE-2018-14719 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block...
SUSE CVE-2018-14721
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization...
SUSE CVE-2018-19362
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization...
SUSE CVE-2018-19360
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization...
SUSE CVE-2019-14892
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...
SUSE CVE-2019-14893
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
CVE-2018-14718
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code...
CVE-2019-12384
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
CVE-2018-19361
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code...
CVE-2018-14721
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization...
CVE-2019-14379
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLAS...
CVE-2017-15095
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes...
CVE-2018-14719
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code...
Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis
Summary There are vulnerabilities in various versions of FasterXML jackson-databind that affect Apache Solr. The vulnerabilities are in Vulnerability Details section. Vulnerability Details CVEID: CVE-2018-14718 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute...
Security Bulletin: Android Mobile SDK compile builder includes vulnerable components
Summary A third party JSON parser that Android Mobile SDK uses include vulnerable components. The JSON parser is included in the compile builder provided to customers to compile their Mobile SDK manifest. It is not included within customer apps. Vulnerability Details CVEID: CVE-2018-7489...
Debian DLA-2342-1 : libjackson-json-java security update
Several vulnerabilities were fixed in libjackson-json-java, a Java JSON processor. CVE-2017-7525 Jackson Deserializer security vulnerability. CVE-2017-15095 Block more JDK types from polymorphic deserialization. CVE-2019-10172 XML external entity vulnerabilities. For Debian 9 stretch, these...