rpm package
almalinux/jackson-module-jaxb-annotations
pkg:rpm/almalinux/jackson-module-jaxb-annotations
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52999 | Hig | — | < 2.19.1-1.module_el8.10.0+4034+20822525 | 2.19.1-1.module_el8.10.0+4034+20822525 | Jun 25, 2025 | jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de | |
| CVE-2020-36518 | — | < 2.14.2-2.module_el8.10.0+3791+e0637953 | 2.14.2-2.module_el8.10.0+3791+e0637953 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | ||
| CVE-2019-17531 | — | < 2.7.6-4.module_el8.5.0+2577+9e95fe00 | 2.7.6-4.module_el8.5.0+2577+9e95fe00 | Oct 12, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the | ||
| CVE-2019-16943 | — | < 2.7.6-4.module_el8.5.0+2577+9e95fe00 | 2.7.6-4.module_el8.5.0+2577+9e95fe00 | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att | ||
| CVE-2019-16942 | — | < 2.7.6-4.module_el8.5.0+2577+9e95fe00 | 2.7.6-4.module_el8.5.0+2577+9e95fe00 | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a | ||
| CVE-2019-16335 | — | < 2.7.6-4.module_el8.5.0+2577+9e95fe00 | 2.7.6-4.module_el8.5.0+2577+9e95fe00 | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | ||
| CVE-2019-14540 | — | < 2.7.6-4.module_el8.5.0+2577+9e95fe00 | 2.7.6-4.module_el8.5.0+2577+9e95fe00 | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | ||
| CVE-2019-12384 | — | < 2.7.6-4.module_el8.5.0+150+5f0dbea0 | 2.7.6-4.module_el8.5.0+150+5f0dbea0 | Jun 24, 2019 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | ||
| CVE-2018-11784 | — | < 2.7.6-4.module_el8.5.0+150+5f0dbea0 | 2.7.6-4.module_el8.5.0+150+5f0dbea0 | Oct 4, 2018 | When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated | ||
| CVE-2018-8037 | — | < 2.7.6-4.module_el8.5.0+150+5f0dbea0 | 2.7.6-4.module_el8.5.0+150+5f0dbea0 | Aug 2, 2018 | If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors | ||
| CVE-2018-8034 | — | < 2.7.6-4.module_el8.5.0+150+5f0dbea0 | 2.7.6-4.module_el8.5.0+150+5f0dbea0 | Aug 1, 2018 | The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. | ||
| CVE-2018-8014 | — | < 2.7.6-4.module_el8.5.0+150+5f0dbea0 | 2.7.6-4.module_el8.5.0+150+5f0dbea0 | May 16, 2018 | The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp |
- affected < 2.19.1-1.module_el8.10.0+4034+20822525fixed 2.19.1-1.module_el8.10.0+4034+20822525
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de
- CVE-2020-36518Mar 11, 2022affected < 2.14.2-2.module_el8.10.0+3791+e0637953fixed 2.14.2-2.module_el8.10.0+3791+e0637953
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2019-17531Oct 12, 2019affected < 2.7.6-4.module_el8.5.0+2577+9e95fe00fixed 2.7.6-4.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the
- CVE-2019-16943Oct 1, 2019affected < 2.7.6-4.module_el8.5.0+2577+9e95fe00fixed 2.7.6-4.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att
- CVE-2019-16942Oct 1, 2019affected < 2.7.6-4.module_el8.5.0+2577+9e95fe00fixed 2.7.6-4.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a
- CVE-2019-16335Sep 15, 2019affected < 2.7.6-4.module_el8.5.0+2577+9e95fe00fixed 2.7.6-4.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
- CVE-2019-14540Sep 15, 2019affected < 2.7.6-4.module_el8.5.0+2577+9e95fe00fixed 2.7.6-4.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
- CVE-2019-12384Jun 24, 2019affected < 2.7.6-4.module_el8.5.0+150+5f0dbea0fixed 2.7.6-4.module_el8.5.0+150+5f0dbea0
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
- CVE-2018-11784Oct 4, 2018affected < 2.7.6-4.module_el8.5.0+150+5f0dbea0fixed 2.7.6-4.module_el8.5.0+150+5f0dbea0
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated
- CVE-2018-8037Aug 2, 2018affected < 2.7.6-4.module_el8.5.0+150+5f0dbea0fixed 2.7.6-4.module_el8.5.0+150+5f0dbea0
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors
- CVE-2018-8034Aug 1, 2018affected < 2.7.6-4.module_el8.5.0+150+5f0dbea0fixed 2.7.6-4.module_el8.5.0+150+5f0dbea0
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
- CVE-2018-8014May 16, 2018affected < 2.7.6-4.module_el8.5.0+150+5f0dbea0fixed 2.7.6-4.module_el8.5.0+150+5f0dbea0
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp