70 matches found
CVE-2023-35116
CVE-2023-35116 : IBM/IBM X-Force bulletin confirms a vulnerability in FasterXML jackson-databind (affected up to 2.15.2) where a crafted object with cyclic dependencies could cause denial of service or other unspecified impact during serialization. The vendor notes this report as not a valid vuln...
CVE-2019-12384
CVE-2019-12384 affects FasterXML jackson-databind 2.x (pre-2.9.9.1) where failure to block logback-core in polymorphic deserialization can enable remote code execution depending on classpath contents. The Connected IBM documents corroborate broader jet deserialization gadget vulnerabilities in ja...
CVE-2022-42003
The CVE-2022-42003 issue affects FasterXML jackson-databind, where enabling UNWRAP_SINGLE_VALUE_ARRAYS allows resource exhaustion due to a missing check in primitive value deserializers to prevent deep wrapper array nesting. Affected versions are before 2.13.4.1 and 2.12.17.1; remediation per sou...
CVE-2020-36518
CVE-2020-36518 affects jackson-databind prior to 2.13.0, enabling a Java StackOverflow and DoS via excessive nesting depth. In affected advisories, remediation is to upgrade jackson-databind to 2.13.0+ (examples show 2.13.x or newer such as 2.13.4.2 in Crowd/CWD references). Practical impact is d...
CVE-2020-25649
The CVE-2020-25649 entry concerns a flaw in FasterXML Jackson Databind where entity expansion was not properly secured, enabling XML External Entity (XXE) attacks. This is a data-integrity risk. Connected advisories consistently associate the issue with Jackson Databind and XXE, and several sourc...
CVE-2019-14540
CVE-2019-14540 affects jackson-databind up to version 2.9.10 with serialization gadget risk involving the HikariCP classes (com.zaxxer.hikari.HikariConfig). The authoritative initial doc notes a polymorphic typing issue in jackson-databind related to HikariConfig. Connected-material references (A...
CVE-2022-42004
The CVE affects FasterXML jackson-databind prior to 2.13.4, where resource exhaustion can occur due to a missing check in BeanDeserializer._deserializeFromArray that prevents deeply nested arrays. An application is vulnerable only with certain customized deserialization paths. Concrete details ac...
CVE-2020-9546
CVE-2020-9546 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interactions involving org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig can lead to deserialization issues. The IBM/Cloudera bulletin references the same CVE and lists a high impact...
CVE-2020-9547
CVE-2020-9547 involves jackson-databind 2.x before 2.9.10.4 where deserialization gadget typing interaction (related to ibatis-sqlmap) enables likely remote code execution. Connected IBM advisories enumerate multiple CBEs in jackson-databind and show affected IBM products; remediation guidance ge...
CVE-2020-9548
CVE-2020-9548 affects Cloudera Data Platform Private Cloud Base (IBM) 7.1.9. It is a deserialization vulnerability in FasterXML jackson-databind 2.x up to 2.9.10.3/4 where interaction between serialization gadgets and typing (relating to br.com.anteros.dbcp.AnterosDBCPConfig) can lead to remote c...
CVE-2020-8840
CVE-2020-8840 affects FasterXML jackson-databind 2.0.0–2.9.10.2, where missing blocking of xbean-reflect/JNDI chains (notably org.apache.xbean.propertyeditor.JndiConverter) enables JNDI injection leading to remote code execution. Affected component is jackson-databind’s deserialization path; impa...
CVE-2020-11113
CVE-2020-11113 is a deserialization vulnerability in FasterXML jackson-databind (2.x before 2.9.10.4) tied to typing gadget interactions (notably related to org.apache.openjpa.ee.WASRegistryManagedRuntime). The connected documents corroborate an exploit path via unsafe deserialization leading to ...
CVE-2017-7525
CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...
CVE-2020-10672
CVE-2020-10672 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The issue arises from deserialization gadget/typing interaction (related to org.apache. Aries transaction JMS XaPooledConnectionFactory), enabling high-severity impact on data confidentiality/integrity/availability. Connecte...
CVE-2020-14061
CVE-2020-14061 concerns Jackson Databind 2.x before 2.9.10.5, where deserialization gadgets typing interaction (including oracle.jms.AQjms* components) can be exploited. IBM and NVD references show a high-severity exposure (base scores up to 8.1–9.8) with network attack vector and partial to high...
CVE-2018-14721
CVE-2018-14721 affects FasterXML jackson-databind 2.x up to 2.9.6 (before 2.9.7). The flaw allows remote attackers to perform SSRF by failing to block axis2-jaxws class during polymorphic deserialization, enabling server-side requests under network access. The vulnerability is tied to the misuse ...
CVE-2020-11619
CVE-2020-11619 affects Jackson Databind 2.x before 2.9.10.4 and is caused by mishandling the interaction between serialization gadgets and typing (related to spring-aop). This deserialization issue can lead to arbitrary code execution when a crafted JSON is processed, as described in IBM/ISIQ con...
CVE-2020-10968
CVE-2020-10968 affects FasterXML jackson-databind 2.x before 2.9.10.4. The issue arises from how serialization gadgets interact with typing, specifically related to org.aoju.bus.proxy.provider.remoting.RmiProvider (bus-proxy). The result is a deserialization vulnerability with high impact to conf...
CVE-2020-14062
CVE-2020-14062 affects jackson-databind 2.x prior to 2.9.10.5, where interaction between serialization gadgets and typing (related to JNDIConnectionPool) can lead to deserialization abuse with high impact. IBM/X-Force entries consolidate this as a 9.8/3.0 vulnerability. In the connected IBM bulle...
CVE-2020-11111
CVE-2020-11111 involves FasterXML Jackson Databind 2.x before 2.9.10.4, where deserialization gadgets and typing interaction (related to org.apache.activemq.*) are mishandled. This can impact confidentiality, integrity and availability. Affected product is Jackson Databind 2.x prior to 2.9.10.4; ...
CVE-2020-10969
CVE-2020-10969 : Jackson Databind 2.x prior to 2.9.10.4 has a deserialization flaw caused by how serialization gadgets interact with typing (related to javax.swing.JEditorPane). This can enable deserialization of untrusted data with potential remote code execution. The issue is publicly documente...
CVE-2020-14195
CVE-2020-14195 affects FasterXML jackson-databind 2.x before 2.9.10.5, where deserialization gadgets/typing interaction can be exploited (related to org.jsecurity JndiRealmFactory) to potentially execute code. IBM X-Force lists a base score of 9.8 with HIGH impact on confidentiality, integrity an...
CVE-2020-10673
CVE-2020-10673 affects FasterXML jackson-databind 2.x prior to 2.9.10.4. The IBM bulletin and the consolidated Jira/Advisory in connected docs describe a deserialization issue where interaction between serialization gadgets and typing (related to com.caucho.config.types.ResourceRef, aka caucho-qu...
CVE-2020-14060
CVE-2020-14060 affects FasterXML jackson-databind 2.x before 2.9.10.5. The root cause is mishandling of the interaction between serialization gadgets and typing (related to JNDIConnectionPool), enabling deserialization-enabled impact on confidentiality, integrity, and availability. The IBM X-Forc...
CVE-2021-46877
CVE-2021-46877 is an IBM-supported entry describing a Denial of Service in jackson-databind caused by JsonNode JDK serialization in certain Jackson 2.x releases. Affected are jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1. The impact is a 2 GB transient heap usage p...
CVE-2018-19361
CVE-2018-19361 is listed in the IBM Cloudera Observability bulletin as affecting Cloudera Observability on Premises 3.5.3, with remediation in 3.6.2. Description from the bulletin notes that FasterXML jackson-databind 2.x before 2.9.8 allows polymorphic deserialization via the openjpa class, yiel...
CVE-2020-11112
CVE-2020-11112 affects FasterXML jackson-databind 2.x before 2.9.10.4, where serialization gadgets and typing interaction is mishandled (related to org.apache.commons.proxy.provider.remoting.RmiProvider). This is a deserialization issue that could enable malicious payload execution; affected prod...
CVE-2019-20330
CVE-2019-20330 affects FasterXML jackson-databind 2.x before 2.9.10.2, which lacks blocking for net.sf.ehcache in deserialization. This is a deserialization-side issue with high–critical impact potential; remediation is to upgrade to jackson-databind 2.9.10.2 or newer as indicated by connected IB...
CVE-2018-19360
CVE-2018-19360 affects FasterXML jackson-databind 2.x before 2.9.8, where failure to block the axis2-transport-jms class enables polymorphic deserialization with unspecified impact. IBM/Cloudera docs corroborate related deserialization flaws across jackson-databind versions and list remediation a...
CVE-2018-14720
CVE-2018-14720 affects jackson-databind 2.x prior to 2.9.7, via unsafe polymorphic deserialization that could enable external XML entity (XXE) attacks when failure to block unspecified JDK classes occurs. The connected documents corroborate a fix in 2.9.7 (and related update notes), with multiple...
CVE-2019-17531
CVE-2019-17531 affects FasterXML jackson-databind 2.0.0–2.9.10; when Default Typing is enabled for an externally exposed JSON endpoint and apache-log4j-extra 1.2.x is on the classpath, an attacker capable of providing a JNDI service can trigger remote code execution. Connected documents corrobora...
CVE-2020-11620
CVE-2020-11620 : Jackson Databind 2.x before 2.9.10.4 has a deserialization issue arising from how serialization gadgets interact with typing, specifically related to org.apache.commons.jelly.impl.Embedded. This allows potential compromise of confidentiality, integrity, and availability (IBM X-Fo...
CVE-2019-14893
CVE-2019-14893 affects FasterXML jackson-databind up to versions before 2.9.10 and 2.10.0, enabling unsafe polymorphic deserialization via enableDefaultTyping or JsonTypeInfo Id.CLASS/Id.MINIMAL_CLASS, potentially leading to remote code execution when deserializing from unsafe sources. Root cause...
CVE-2018-12023
The CVE-2018-12023 issue affects FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (globally or per-property) and the Oracle JDBC jar is in the classpath with an LDAP service accessible to an attacker, the service could be coerced into executing a ma...
CVE-2019-17267
Summary (CVE-2019-17267): A polymorphic typing deserialization issue in FasterXML Jackson Databind (versions prior to 2.9.10) related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. IBM/X-Force details show a base score of 7.3 (CVSSv3) with high impact on confidentiality, integrit...
CVE-2019-12086
CVE-2019-12086 involves a polymorphic typing issue in FasterXML jackson-databind 2.x prior to 2.9.9. When Default Typing is enabled for an externally exposed JSON endpoint and a victim service has mysql-connector-java (8.0.14 or earlier) on the classpath, an attacker can send a crafted JSON to re...
CVE-2018-7489
CVE-2018-7489 affects FasterXML jackson-databind; an incomplete fix for CVE-2017-7525 allowed unauthenticated remote code execution via JSON input to ObjectMapper.readValue, with a blacklist bypass if c3p0 is present in the classpath. Affected versions per the initial record include 2.7.9.3, 2.8....
CVE-2019-16943
CVE-2019-16943 affects FasterXML jackson-databind (versions 2.0.0–2.9.10) via a polymorphic typing flaw that, when Default Typing is enabled for an exposed JSON endpoint and a p6spy P6DataSource is present in the classpath with an accessible RMI endpoint, can lead to remote code execution. The ro...
CVE-2019-16942
CVE-2019-16942 affects FasterXML jackson-databind 2.0.0–2.9.10. When Default Typing is enabled for an externally exposed JSON endpoint and the service includes the commons-dbcp 1.4 jar on the classpath, with an accessible RMI endpoint, the vulnerability can allow execution of a malicious payload ...
CVE-2019-12814
CVE-2019-12814 is detailed in an IBM security bulletin related to Cloudera Observability on Premises (IBM) 3.5.3. The flaw stems from a polymorphic-typing deserialization issue in FasterXML jackson-databind 2.x up to 2.9.9. When Default Typing is enabled for an externally exposed JSON endpoint an...
CVE-2019-14379
CVE-2019-14379 affects FasterXML jackson-databind prior to 2.9.9.2, where default typing mishandling when ehcache is present (via net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup) leads to remote code execution. Affected component is jackson-databind’s data-binding implementatio...
CVE-2020-35728
CVE-2020-35728 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, where improper interaction between serialization gadgets and typing (related to embedded Xalan/JNDIConnectionPool) is described. The IBM bulletin (CVE list) confirms this vulnerability and its description, but does not provi...
CVE-2020-36180
The connected documents confirm CVE-2020-36180 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing, specifically involving DriverAdapterCPDS in org.apache.commons.dbcp2.cpdsadapter (and related CPDS drivers). A public ...
CVE-2017-15095
Summary of CVE-2017-15095 and related sightings : The material consistently reports a deserialization flaw in jackson-databind, affecting versions prior to 2.8.10 and 2.9.1. An unauthenticated user could trigger code execution via ObjectMapper.readValue with malicious input. The issue is describe...
CVE-2017-17485
CVE-2017-17485 affects FasterXML jackson-databind: a deserialization flaw that enables unauthenticated remote code execution via readValue when the blacklist is bypassed if Spring libraries are on the classpath. The initial description specifies impact for jackson-databind up to 2.8.10 and 2.9.x ...
CVE-2020-36179
CVE-2020-36179 affects FasterXML Jackson Databind (2.x) prior to 2.9.10.8, where the interaction between serialization gadgets and typing (notably involving DriverAdapterCPDS variants) is mishandled. Several connected advisories corroborate an insecure-deserialization pattern that can be triggere...
CVE-2020-36182
CVE-2020-36182 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of serialization gadgets and typing involving DriverAdapterCPDS (org.apache.tomcat.dbcp.dbcp2.cpdsadapter). Do not speculate on exploitability beyond what is stated; some sources (e.g., Debian LTS advisory) ...
CVE-2020-36183
CVE-2020-36183 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing (JNDIConnectionPool gadget chain). Reported in IBM/X-Force and mirrored in Astra Linux bulletin; impact can be high (deserialization-based). Affected...
CVE-2020-36189
CVE-2020-36189 affects FasterXML jackson-databind 2.x before 2.9.10.8. The issue is a deserialization/serialization typing interaction with gadgets (e.g., logback, MySQL/commons proxies) that can lead to arbitrary code execution, data exfiltration or integrity/availability impacts as described in...
CVE-2020-36184
CVE-2020-36184 affects FasterXML jackson-databind 2.x before 2.9.10.8. The connected documents describe a vulnerability arising from the interaction between serialization gadgets and typing, tied to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (and related datasource classes). T...