Jackson-databind@* Security Vulnerabilities and Issues — Jackson-databind@* CVE List

Lucene search

FasterxmlJackson-databind*

9 matches found

CVE•added 2023/06/14 2:15 p.m.•1188 views

CVE-2023-35116

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure an...

4.7CVSS5.5AI score0.00015EPSS

CVE•added 2022/10/02 5:15 a.m.•774 views

CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

7.5CVSS7.5AI score0.00278EPSS

CVE•added 2022/03/11 7:15 a.m.•638 views

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

7.5CVSS7.4AI score0.00503EPSS

CVE•added 2022/10/02 5:15 a.m.•557 views

CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

7.5CVSS7.5AI score0.00202EPSS

CVE•added 2018/02/06 3:29 p.m.•429 views

CVE-2017-7525

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

9.8CVSS9.2AI score0.77336EPSS

CVE•added 2018/02/26 3:29 p.m.•318 views

CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ...

9.8CVSS9.5AI score0.77336EPSS

CVE•added 2018/01/10 6:29 p.m.•256 views

CVE-2017-17485

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassin...

9.8CVSS9.5AI score0.77336EPSS

CVE•added 2021/01/19 5:15 p.m.•253 views

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.3CVSS7.6AI score0.00502EPSS

CVE•added 2022/12/26 8:15 p.m.•217 views

CVE-2020-10650

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.J...

8.1CVSS8.1AI score0.06186EPSS