VYPR

Maven package

com.fasterxml.jackson.core/jackson-databind

pkg:maven/com.fasterxml.jackson.core/jackson-databind

Vulnerabilities (76)

  • CVE-2026-54517medJun 23, 2026
    affected >= 2.21.0, < 2.21.4fixed 2.21.4

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54516medJun 23, 2026
    affected >= 2.21.0, < 2.21.4fixed 2.21.4

    ## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field is

  • CVE-2026-54515medJun 23, 2026
    affected >= 3.1.0, < 3.1.4fixed 3.1.4

    ## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property case-i

  • CVE-2026-54514medJun 23, 2026
    affected >= 2.0.0, < 2.18.8fixed 2.18.8

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected >= 2.10.0, < 2.18.8fixed 2.18.8

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected >= 2.10.0, < 2.18.8fixed 2.18.8

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-50193medJun 23, 2026
    affected >= 2.10.0, < 2.14.0fixed 2.14.0

    ### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume si

  • CVE-2026-54518medJun 23, 2026
    affected >= 2.21.0, < 2.21.4fixed 2.21.4

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2021-46877Mar 18, 2023
    affected >= 2.10.0, < 2.12.6fixed 2.12.6

    jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

  • CVE-2020-10650Dec 26, 2022
    affected < 2.9.10.4fixed 2.9.10.4

    A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and

  • CVE-2022-42003Oct 2, 2022
    affected >= 2.4.0-rc1, < 2.12.7.1fixed 2.12.7.1

    In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

  • CVE-2020-36518Mar 11, 2022
    affected >= 2.13.0, < 2.13.2.1fixed 2.13.2.1

    jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

  • CVE-2021-20190Jan 19, 2021
    affected >= 2.7.0, < 2.9.10.7fixed 2.9.10.7

    A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

  • CVE-2020-36183HigJan 7, 2021
    affected >= 2.7.00, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

  • CVE-2020-36179Jan 6, 2021
    affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

  • CVE-2020-36180Jan 6, 2021
    affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

  • CVE-2020-36182Jan 6, 2021
    affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

  • CVE-2020-36184Jan 6, 2021
    affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

  • CVE-2020-36185Jan 6, 2021
    affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

  • CVE-2020-36186Jan 6, 2021
    affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Page 1 of 4