Vendor
Fasterxml
Products
1
CVEs
10
Across products
10
Status
Private
Products
1- 10 CVEs
Recent CVEs
10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-9546 | Cri | 0.57 | 9.8 | 0.02 | Mar 2, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | |
| CVE-2020-11113 | Hig | 0.55 | 8.8 | 0.61 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | |
| CVE-2020-11112 | Hig | 0.51 | 8.8 | 0.07 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | |
| CVE-2020-35728 | Hig | 0.49 | 8.1 | 0.42 | Dec 27, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | |
| CVE-2020-36183 | Hig | 0.46 | 8.1 | 0.02 | Jan 7, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | |
| CVE-2020-14060 | Hig | 0.46 | 8.1 | 0.09 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | |
| CVE-2020-14062 | Hig | 0.46 | 8.1 | 0.10 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | |
| CVE-2020-11619 | Hig | 0.46 | 8.1 | 0.01 | Apr 7, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | |
| CVE-2017-7525 | 0.00 | — | 0.82 | Feb 6, 2018 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | ||
| CVE-2017-15095 | 0.00 | — | 0.08 | Feb 6, 2018 | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. |