Lucene search

Jackson-Databind Security Vulnerabilities - May

cve

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-07 12:15 AM

239

cve

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

221

cve

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-07 12:15 AM

229

cve

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-07 12:15 AM

233

cve

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

221

cve

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

221

cve

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

215

cve

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

212

cve

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

221

cve

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

8.1CVSS

7.7AI Score

0.003EPSS

2021-01-06 11:15 PM

229

cve

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

7.5CVSS

7.4AI Score

0.002EPSS

2022-03-11 07:15 AM

351

cve

CVE-2020-8840

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

9.8CVSS

9.3AI Score

0.03EPSS

2020-02-10 09:56 PM

287

In Wild

cve

CVE-2020-9546

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

9.8CVSS

9.2AI Score

0.007EPSS

2020-03-02 04:15 AM

276

cve

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

9.8CVSS

9.1AI Score

0.007EPSS

2020-03-02 04:15 AM

274

cve

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

9.8CVSS

9.1AI Score

0.004EPSS

2020-03-02 04:15 AM

295

cve

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1CVSS

7.6AI Score

0.004EPSS

2021-01-19 05:15 PM

210

cve

CVE-2021-46877

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

7.5CVSS

7.1AI Score

0.001EPSS

2023-03-18 10:15 PM

133

cve

CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

7.5CVSS

7.5AI Score

0.003EPSS

2022-10-02 05:15 AM

477

cve

CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

7.5CVSS

7.5AI Score

0.003EPSS

2022-10-02 05:15 AM

292

cve

CVE-2023-35116

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure an...

4.7CVSS

5.5AI Score

0.0004EPSS

2023-06-14 02:15 PM

962

Total number of security vulnerabilities70