Lucene search
K
FasterxmlJackson-databind

78 matches found

CVE
CVE
added 2021/01/06 10:29 p.m.291 views

CVE-2020-36189

CVE-2020-36189 affects FasterXML jackson-databind 2.x before 2.9.10.8. The issue is a deserialization/serialization typing interaction with gadgets (e.g., logback, MySQL/commons proxies) that can lead to arbitrary code execution, data exfiltration or integrity/availability impacts as described in...

8.1CVSS7.7AI score0.04912EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.289 views

CVE-2020-36184

CVE-2020-36184 affects FasterXML jackson-databind 2.x before 2.9.10.8. The connected documents describe a vulnerability arising from the interaction between serialization gadgets and typing, tied to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (and related datasource classes). T...

8.8CVSS7.7AI score0.10379EPSS
CVE
CVE
added 2020/09/17 6:39 p.m.288 views

CVE-2020-24750

CVE-2020-24750 affects FasterXML jackson-databind 2.x prior to 2.9.10.6, where the interaction between serialization gadgets and typing is mishandled (CWE-502). This deserialization flaw could enable exploitation via untrusted data; the connected IBM/Cloudera doc confirms the CVE entry but does n...

8.1CVSS7.7AI score0.07268EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.286 views

CVE-2020-36185

CVE-2020-36185 is a Jackson Databind v2.x vulnerability (pre-2.9.10.8) where deserialization gadgets interact with typing, linked to SharedPoolDataSource/JNDI-related classes. Affected: jackson-databind 2.x before 2.9.10.8. Impact includes potential remote code execution via gadget chains. Remedi...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2021/01/19 4:27 p.m.281 views

CVE-2021-20190

CVE-2021-20190 is a Jackson Databind deserialization vulnerability involving the interaction between serialization gadgets and typing, present in Jackson Databind up to 2.9.10.7. The IBM bulletin for Cloudera Observability confirms this CVE as part of a collection and notes a fix in Cloudera Obse...

8.3CVSS7.6AI score0.07483EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.280 views

CVE-2020-36181

Consolidated evidence shows CVE-2020-36181 affects FasterXML jackson-databind 2.x before 2.9.10.8. The vulnerability arises from mishandling the interaction between serialization gadgets and typing, specifically related to DriverAdapterCPDS classes (notably org.apache.tomcat.dbcp.dbcp.cpdsadapter...

8.8CVSS7.7AI score0.05018EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.280 views

CVE-2020-36186

CVE-2020-36186 affects FasterXML jackson-databind 2.x up to before 2.9.10.8, where serialization gadgets and typing handling interact incorrectly in the presence of PerUserPoolDataSource (org.apache.tomcat.dbcp.dbcp.datasources). This deserialization-related flaw can impact confidentiality, integ...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.280 views

CVE-2020-36188

The CVE-2020-36188 issue affects FasterXML jackson-databind 2.x prior to 2.9.10.8, caused by mis-handling serialization gadgets in combination with typing (notably involving com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource). The vulnerability is described across multiple source...

8.1CVSS7.7AI score0.10911EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.272 views

CVE-2020-36187

CVE-2020-36187 affects FasterXML jackson-databind 2.x before 2.9.10.8. The root cause is a mishandling of the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. The connected Astra Linux bulletin mirrors this description....

8.1CVSS7.7AI score0.05195EPSS
CVE
CVE
added 2022/12/26 12:0 a.m.265 views

CVE-2020-10650

CVE-2020-10650 is a deserialization vulnerability in FasterXML jackson-databind up to 2.9.10.4 that allowed unauthenticated code execution via Ignite-JTA or Quartz-core gadgets (e.g., CacheJndiTmLookup/CacheJndiTmFactory; JNDIConnectionProvider). Technical details across connected sources confirm...

8.1CVSS8.1AI score0.03301EPSS
In wild
CVE
CVE
added 2020/12/17 6:43 p.m.262 views

CVE-2020-35491

CVE-2020-35491 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, tied to deserialization gadget typing interactions via org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Connected docs corroborate an extensive Jackson deserialization issue set with high impact, but the provided m...

8.1CVSS7.7AI score0.09477EPSS
CVE
CVE
added 2020/12/17 6:43 p.m.252 views

CVE-2020-35490

CVE-2020-35490 : jackson-databind 2.x before 2.9.10.8 is affected. The issue arises from mishandling the interaction between serialization gadgets and typing, related to PerUserPoolDataSource in org.apache.commons.dbcp2. Root cause: polymorphic deserialization/gadget chaining leads to potential c...

8.1CVSS7.7AI score0.07694EPSS
CVE
CVE
added 2020/03/02 4:28 p.m.248 views

CVE-2019-14892

CVE-2019-14892 — In jackson-databind, polymorphic deserialization can be exploited via JNDI gadgets (commons-configuration 1/2) to achieve remote code execution. Affected: jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3. Remediation: upgrade to a fixed jackson-databind release (e.g...

9.8CVSS9.4AI score0.0544EPSS
CVE
CVE
added 2019/07/09 3:37 p.m.246 views

CVE-2018-11307

CVE-2018-11307 concerns a deserialization issue in FasterXML Jackson-databind from 2.0.0 to 2.9.5 that enables content exfiltration when using Jackson default typing with an iBatis gadget class. Affected: jackson-databind components in these versions. Impact: potential exposure of serialized cont...

9.8CVSS9.2AI score0.05683EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.235 views

CVE-2018-14718

CVE-2018-14718 affects FasterXML jackson-databind 2.x (pre-2.9.7). Description: remote code execution via deserialization due to failure to block the slf4j-ext class from polymorphic deserialization. IBM watsonx.data is listed as affected (versions 1.0.0–2.0.0 in some bulletins; later bulletins s...

9.8CVSS9.8AI score0.12679EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.223 views

CVE-2018-14719

CVE-2018-14719 involves FasterXML Jackson Databind 2.x up to but before 2.9.7. The root cause is failure to block polymorphic deserialization of certain gadgets (blaze-ds-opt/blaze-ds-core), enabling remote code execution if the gadget classes can be reached. The IBM bulletin references Jackson D...

9.8CVSS9.8AI score0.09682EPSS
CVE
CVE
added 2020/08/25 5:4 p.m.221 views

CVE-2020-24616

The CVE-2020-24616 vulnerability affects FasterXML jackson-databind 2.x prior to 2.9.10.6, arising from the interaction between serialization gadgets and typing (related to br.com.anteros.dbcp.AnterosDBCPDataSource). Root cause is unsafe deserialization via Gadget chains in Jackson Databind. Impa...

8.1CVSS7.7AI score0.09346EPSS
CVE
CVE
added 2018/01/22 4:0 a.m.220 views

CVE-2018-5968

CVE-2018-5968 concerns FasterXML jackson-databind deserialization. The entry notes unauthenticated remote code execution via two gadgets that bypass a blacklist, stemming from an incomplete fix for CVE-2017-7525 and CVE-2017-17485. Connected sources specify affected jackson-databind versions and ...

8.1CVSS9.6AI score0.06962EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.213 views

CVE-2018-19362

CVE-2018-19362: A vulnerability in Jackson Databind (FasterXML) affects 2.x prior to 2.9.8, due to failure to block the jboss-common-core class in polymorphic deserialization. The IBM doc lists an unknown impact/attack vector with a base score of 5.3 and notes the issue as an unspecified deserial...

9.8CVSS8.8AI score0.10599EPSS
CVE
CVE
added 2019/07/30 10:49 a.m.187 views

CVE-2019-14439

CVE-2019-14439 describes a polymorphic typing deserialization issue in FasterXML jackson-databind 2.x prior to 2.9.9.2. When Default Typing is enabled (globally or for a property) and logback is in the classpath, an externally exposed JSON endpoint may be vulnerable to unsafe deserialization. Aff...

7.5CVSS8.4AI score0.10763EPSS
CVE
CVE
added 2019/03/17 6:14 p.m.176 views

CVE-2018-12022

CVE-2018-12022 affects FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (globally or for a property) and the service classpath contains the Jodd‑db jar (for Jodd DB access) with an LDAP service available, an attacker can trigger remote code executio...

7.5CVSS8.4AI score0.07289EPSS
CVE
CVE
added 2026/06/23 8:53 p.m.138 views

CVE-2026-54513

CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...

8.1CVSS5.8AI score0.00695EPSS
CVE
CVE
added 2026/06/23 8:56 p.m.116 views

CVE-2026-54512

jackson-databind contains a PolymorphicTypeValidator (PTV) bypass vulnerability. When polymorphic typing is enabled and the type ID includes generic parameters, DatabindContext._resolveAndValidateGeneric() validates only the raw container class name, then parses the full canonical type without va...

8.1CVSS5.8AI score0.00617EPSS
CVE
CVE
added 2026/06/23 8:51 p.m.113 views

CVE-2026-54514

CVE-2026-54514 affects jackson-databind’s InetSocketAddress handling during deserialization. From 2.0.0 up to fixes in 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress(host, port), causing eager DNS resolution at readValue time and enabling an attacker to trigger...

5.3CVSS5.9AI score0.00219EPSS
CVE
CVE
added 2026/06/23 8:48 p.m.67 views

CVE-2026-54516

The CVE-2026-54516 vulnerability affects jackson-databind where, from 2.21.0 through 2.21.4 and in 3.1.4, POJOPropertiesCollector._renameProperties() can rename a property annotated with @JsonProperty("renamed") on the getter while the setter is annotated with @JsonIgnore. When MapperFeature.INFE...

5.3CVSS5.9AI score0.00282EPSS
CVE
CVE
added 2026/06/23 9:2 p.m.61 views

CVE-2026-54518

The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...

6.5CVSS5.9AI score0.00211EPSS
CVE
CVE
added 2026/06/23 8:47 p.m.44 views

CVE-2026-54517

Summary: CVE-2026-54517 affects jackson-databind. In BeanDeserializer._deserializeUsingPropertyBased, the active-view filter was only applied to creator properties; the path for regular properties lacked a visibleInView check. This allowed setterless Collection/Map properties annotated with a res...

5.3CVSS5.9AI score0.00237EPSS
CVE
CVE
added 2026/06/23 9:0 p.m.27 views

CVE-2026-50193

jackson-databind contains a DoS in JSON tree handling: if a service reads deeply nested JSON (1000s of levels) via ObjectMapper.readTree() and then writes that JsonNode with toString(), it can consume significant resources. Affected are 2.13.0–2.14.0; fixed in 2.14.0. Mitigation: upgrade to 2.14....

7.5CVSS5.9AI score0.00616EPSS
Total number of security vulnerabilities78