Lucene search
K

9 matches found

CVE
CVE
added 2023/06/14 12:0 a.m.1225 views

CVE-2023-35116

CVE-2023-35116 : IBM/IBM X-Force bulletin confirms a vulnerability in FasterXML jackson-databind (affected up to 2.15.2) where a crafted object with cyclic dependencies could cause denial of service or other unspecified impact during serialization. The vendor notes this report as not a valid vuln...

4.7CVSS5.5AI score0.00352EPSS
CVE
CVE
added 2022/03/11 12:0 a.m.849 views

CVE-2020-36518

CVE-2020-36518 affects jackson-databind prior to 2.13.0, enabling a Java StackOverflow and DoS via excessive nesting depth. In affected advisories, remediation is to upgrade jackson-databind to 2.13.0+ (examples show 2.13.x or newer such as 2.13.4.2 in Crowd/CWD references). Practical impact is d...

7.5CVSS7.4AI score0.0486EPSS
CVE
CVE
added 2022/10/02 12:0 a.m.812 views

CVE-2022-42003

The CVE-2022-42003 issue affects FasterXML jackson-databind, where enabling UNWRAP_SINGLE_VALUE_ARRAYS allows resource exhaustion due to a missing check in primitive value deserializers to prevent deep wrapper array nesting. Affected versions are before 2.13.4.1 and 2.12.17.1; remediation per sou...

7.5CVSS7.5AI score0.02824EPSS
CVE
CVE
added 2022/10/02 12:0 a.m.579 views

CVE-2022-42004

The CVE affects FasterXML jackson-databind prior to 2.13.4, where resource exhaustion can occur due to a missing check in BeanDeserializer._deserializeFromArray that prevents deeply nested arrays. An application is vulnerable only with certain customized deserialization paths. Concrete details ac...

7.5CVSS7.5AI score0.02656EPSS
CVE
CVE
added 2018/02/06 3:0 p.m.493 views

CVE-2017-7525

CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...

9.8CVSS9.2AI score0.37925EPSS
CVE
CVE
added 2018/02/26 3:0 p.m.362 views

CVE-2018-7489

CVE-2018-7489 affects FasterXML jackson-databind; an incomplete fix for CVE-2017-7525 allowed unauthenticated remote code execution via JSON input to ObjectMapper.readValue, with a blacklist bypass if c3p0 is present in the classpath. Affected versions per the initial record include 2.7.9.3, 2.8....

9.8CVSS9.5AI score0.20521EPSS
CVE
CVE
added 2018/01/10 6:0 p.m.296 views

CVE-2017-17485

CVE-2017-17485 affects FasterXML jackson-databind: a deserialization flaw that enables unauthenticated remote code execution via readValue when the blacklist is bypassed if Spring libraries are on the classpath. The initial description specifies impact for jackson-databind up to 2.8.10 and 2.9.x ...

9.8CVSS9.5AI score0.49727EPSS
CVE
CVE
added 2021/01/19 4:27 p.m.279 views

CVE-2021-20190

CVE-2021-20190 is a Jackson Databind deserialization vulnerability involving the interaction between serialization gadgets and typing, present in Jackson Databind up to 2.9.10.7. The IBM bulletin for Cloudera Observability confirms this CVE as part of a collection and notes a fix in Cloudera Obse...

8.3CVSS7.6AI score0.07483EPSS
CVE
CVE
added 2022/12/26 12:0 a.m.263 views

CVE-2020-10650

CVE-2020-10650 is a deserialization vulnerability in FasterXML jackson-databind up to 2.9.10.4 that allowed unauthenticated code execution via Ignite-JTA or Quartz-core gadgets (e.g., CacheJndiTmLookup/CacheJndiTmFactory; JNDIConnectionProvider). Technical details across connected sources confirm...

8.1CVSS8.1AI score0.03301EPSS
In wild