9 matches found
CVE-2023-35116
CVE-2023-35116 : IBM/IBM X-Force bulletin confirms a vulnerability in FasterXML jackson-databind (affected up to 2.15.2) where a crafted object with cyclic dependencies could cause denial of service or other unspecified impact during serialization. The vendor notes this report as not a valid vuln...
CVE-2020-36518
CVE-2020-36518 affects jackson-databind prior to 2.13.0, enabling a Java StackOverflow and DoS via excessive nesting depth. In affected advisories, remediation is to upgrade jackson-databind to 2.13.0+ (examples show 2.13.x or newer such as 2.13.4.2 in Crowd/CWD references). Practical impact is d...
CVE-2022-42003
The CVE-2022-42003 issue affects FasterXML jackson-databind, where enabling UNWRAP_SINGLE_VALUE_ARRAYS allows resource exhaustion due to a missing check in primitive value deserializers to prevent deep wrapper array nesting. Affected versions are before 2.13.4.1 and 2.12.17.1; remediation per sou...
CVE-2022-42004
The CVE affects FasterXML jackson-databind prior to 2.13.4, where resource exhaustion can occur due to a missing check in BeanDeserializer._deserializeFromArray that prevents deeply nested arrays. An application is vulnerable only with certain customized deserialization paths. Concrete details ac...
CVE-2017-7525
CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...
CVE-2018-7489
CVE-2018-7489 affects FasterXML jackson-databind; an incomplete fix for CVE-2017-7525 allowed unauthenticated remote code execution via JSON input to ObjectMapper.readValue, with a blacklist bypass if c3p0 is present in the classpath. Affected versions per the initial record include 2.7.9.3, 2.8....
CVE-2017-17485
CVE-2017-17485 affects FasterXML jackson-databind: a deserialization flaw that enables unauthenticated remote code execution via readValue when the blacklist is bypassed if Spring libraries are on the classpath. The initial description specifies impact for jackson-databind up to 2.8.10 and 2.9.x ...
CVE-2021-20190
CVE-2021-20190 is a Jackson Databind deserialization vulnerability involving the interaction between serialization gadgets and typing, present in Jackson Databind up to 2.9.10.7. The IBM bulletin for Cloudera Observability confirms this CVE as part of a collection and notes a fix in Cloudera Obse...
CVE-2020-10650
CVE-2020-10650 is a deserialization vulnerability in FasterXML jackson-databind up to 2.9.10.4 that allowed unauthenticated code execution via Ignite-JTA or Quartz-core gadgets (e.g., CacheJndiTmLookup/CacheJndiTmFactory; JNDIConnectionProvider). Technical details across connected sources confirm...