Maven package
com.fasterxml.jackson.core/jackson-databind
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Vulnerabilities (68)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-46877 | — | >= 2.10.0, < 2.12.6 | 2.12.6 | Mar 18, 2023 | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | ||
| CVE-2020-10650 | — | < 2.9.10.4 | 2.9.10.4 | Dec 26, 2022 | A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and | ||
| CVE-2022-42003 | — | >= 2.4.0-rc1, < 2.12.7.1 | 2.12.7.1 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2020-36518 | — | >= 2.13.0, < 2.13.2.1 | 2.13.2.1 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | ||
| CVE-2021-20190 | — | >= 2.7.0, < 2.9.10.7 | 2.9.10.7 | Jan 19, 2021 | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||
| CVE-2020-36183 | Hig | 8.1 | >= 2.7.00, < 2.9.10.8 | 2.9.10.8 | Jan 7, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | |
| CVE-2020-36179 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36180 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36182 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36184 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | ||
| CVE-2020-36185 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | ||
| CVE-2020-36186 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | ||
| CVE-2020-36187 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | ||
| CVE-2020-36188 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | ||
| CVE-2020-36189 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | ||
| CVE-2020-36181 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-35728 | Hig | 8.1 | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Dec 27, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | |
| CVE-2020-35490 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Dec 17, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | ||
| CVE-2020-35491 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Dec 17, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | ||
| CVE-2020-25649 | — | >= 2.6.0, < 2.6.7.4 | 2.6.7.4 | Dec 3, 2020 | A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. |
- CVE-2021-46877Mar 18, 2023affected >= 2.10.0, < 2.12.6fixed 2.12.6
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
- CVE-2020-10650Dec 26, 2022affected < 2.9.10.4fixed 2.9.10.4
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and
- CVE-2022-42003Oct 2, 2022affected >= 2.4.0-rc1, < 2.12.7.1fixed 2.12.7.1
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2020-36518Mar 11, 2022affected >= 2.13.0, < 2.13.2.1fixed 2.13.2.1
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2021-20190Jan 19, 2021affected >= 2.7.0, < 2.9.10.7fixed 2.9.10.7
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- affected >= 2.7.00, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
- CVE-2020-36179Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36180Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36182Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36184Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-36185Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-36186Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
- CVE-2020-36187Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
- CVE-2020-36188Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
- CVE-2020-36189Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
- CVE-2020-36181Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
- affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
- CVE-2020-35490Dec 17, 2020affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-35491Dec 17, 2020affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-25649Dec 3, 2020affected >= 2.6.0, < 2.6.7.4fixed 2.6.7.4
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Page 1 of 4