rpm package
almalinux/jackson-jaxrs-json-provider
pkg:rpm/almalinux/jackson-jaxrs-json-provider
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52999 | Hig | — | < 2.19.1-1.module_el8.10.0+4034+20822525 | 2.19.1-1.module_el8.10.0+4034+20822525 | Jun 25, 2025 | jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de | |
| CVE-2020-36518 | — | < 2.14.2-1.module_el8.10.0+3791+e0637953 | 2.14.2-1.module_el8.10.0+3791+e0637953 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | ||
| CVE-2019-17531 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Oct 12, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the | ||
| CVE-2019-16943 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att | ||
| CVE-2019-16942 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a | ||
| CVE-2019-16335 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | ||
| CVE-2019-14540 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | ||
| CVE-2019-12384 | — | < 2.9.9-1.module_el8.5.0+2577+9e95fe00 | 2.9.9-1.module_el8.5.0+2577+9e95fe00 | Jun 24, 2019 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. |
- affected < 2.19.1-1.module_el8.10.0+4034+20822525fixed 2.19.1-1.module_el8.10.0+4034+20822525
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de
- CVE-2020-36518Mar 11, 2022affected < 2.14.2-1.module_el8.10.0+3791+e0637953fixed 2.14.2-1.module_el8.10.0+3791+e0637953
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2019-17531Oct 12, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the
- CVE-2019-16943Oct 1, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att
- CVE-2019-16942Oct 1, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a
- CVE-2019-16335Sep 15, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
- CVE-2019-14540Sep 15, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
- CVE-2019-12384Jun 24, 2019affected < 2.9.9-1.module_el8.5.0+2577+9e95fe00fixed 2.9.9-1.module_el8.5.0+2577+9e95fe00
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.