Jackson-databind@* Security Vulnerabilities and Issues — Jackson-databind@* CVE List

Lucene search

FasterxmlJackson-databind*

26 matches found

CVE•added 2020/12/03 5:15 p.m.•504 views

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

7.5CVSS7.3AI score0.00011EPSS

CVE•added 2020/03/02 4:15 a.m.•467 views

CVE-2020-9546

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

9.8CVSS9.2AI score0.02327EPSS

CVE•added 2020/03/02 4:15 a.m.•442 views

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

9.8CVSS9.1AI score0.43938EPSS

CVE•added 2020/02/10 9:56 p.m.•417 views

CVE-2020-8840

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

9.8CVSS9.3AI score0.08164EPSS

CVE•added 2020/03/02 4:15 a.m.•417 views

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

9.8CVSS9.1AI score0.62699EPSS

CVE•added 2020/03/31 5:15 a.m.•416 views

CVE-2020-11113

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

8.8CVSS8.3AI score0.61746EPSS

CVE•added 2020/06/14 8:15 p.m.•381 views

CVE-2020-14061

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and orac...

8.1CVSS8.5AI score0.0615EPSS

CVE•added 2020/03/18 10:15 p.m.•377 views

CVE-2020-10672

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

8.8CVSS8.3AI score0.4007EPSS

CVE•added 2020/04/07 11:15 p.m.•364 views

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

8.1CVSS8AI score0.01826EPSS

CVE•added 2020/01/03 4:15 a.m.•363 views

CVE-2019-20330

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

9.8CVSS9.2AI score0.01997EPSS

CVE•added 2020/06/14 8:15 p.m.•362 views

CVE-2020-14062

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

8.1CVSS8.6AI score0.07706EPSS

CVE•added 2020/03/26 1:15 p.m.•360 views

CVE-2020-10968

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

8.8CVSS8.3AI score0.06632EPSS

CVE•added 2020/03/26 1:15 p.m.•355 views

CVE-2020-10969

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

8.8CVSS8.3AI score0.01478EPSS

CVE•added 2020/03/31 5:15 a.m.•355 views

CVE-2020-11111

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

8.8CVSS8.3AI score0.02196EPSS

CVE•added 2020/06/16 4:15 p.m.•350 views

CVE-2020-14195

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

8.1CVSS8.5AI score0.09511EPSS

CVE•added 2020/03/18 10:15 p.m.•346 views

CVE-2020-10673

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

8.8CVSS8.3AI score0.20473EPSS

CVE•added 2020/06/14 9:15 p.m.•345 views

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

8.1CVSS8.6AI score0.08718EPSS

CVE•added 2020/03/31 5:15 a.m.•331 views

CVE-2020-11112

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

8.8CVSS8.3AI score0.11418EPSS

CVE•added 2020/04/07 11:15 p.m.•306 views

CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

8.1CVSS8AI score0.02796EPSS

CVE•added 2020/03/02 9:15 p.m.•294 views

CVE-2019-14893

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @Jso...

9.8CVSS9.5AI score0.00698EPSS

CVE•added 2020/12/27 5:15 a.m.•264 views

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

8.1CVSS7.7AI score0.39669EPSS

CVE•added 2020/09/17 7:15 p.m.•257 views

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

8.1CVSS7.7AI score0.02107EPSS

CVE•added 2020/12/17 7:15 p.m.•230 views

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

8.1CVSS7.7AI score0.06892EPSS

CVE•added 2020/12/17 7:15 p.m.•222 views

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

8.1CVSS7.7AI score0.04749EPSS

CVE•added 2020/03/02 5:15 p.m.•205 views

CVE-2019-14892

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

9.8CVSS9.4AI score0.00873EPSS

CVE•added 2020/08/25 6:15 p.m.•192 views

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

8.1CVSS7.7AI score0.03783EPSS