Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Jackson-Databind Security Vulnerabilities - March 2020

cve
cve

CVE-2019-14892

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

9.8CVSS

9.4AI Score

0.004EPSS

2020-03-02 05:15 PM
170
cve
cve

CVE-2019-14893

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @Jso...

9.8CVSS

9.5AI Score

0.025EPSS

2020-03-02 09:15 PM
125
cve
cve

CVE-2020-10672

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-18 10:15 PM
187
3
cve
cve

CVE-2020-10673

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-18 10:15 PM
235
3
cve
cve

CVE-2020-10968

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-26 01:15 PM
177
3
cve
cve

CVE-2020-10969

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-26 01:15 PM
172
3
cve
cve

CVE-2020-11111

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-31 05:15 AM
171
4
cve
cve

CVE-2020-11112

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-31 05:15 AM
150
4
cve
cve

CVE-2020-11113

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

8.8CVSS

8.3AI Score

0.008EPSS

2020-03-31 05:15 AM
229
3
cve
cve

CVE-2020-9546

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

9.8CVSS

9.2AI Score

0.007EPSS

2020-03-02 04:15 AM
276
2
cve
cve

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

9.8CVSS

9.1AI Score

0.007EPSS

2020-03-02 04:15 AM
274
2
cve
cve

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

9.8CVSS

9.1AI Score

0.004EPSS

2020-03-02 04:15 AM
295