Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Fasterxml Subscribe
Total 74 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-9546 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more 2021-12-02 6.8 MEDIUM 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CVE-2020-14062 4 Debian, Fasterxml, Netapp and 1 more 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more 2021-11-17 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVE-2020-14060 3 Fasterxml, Netapp, Oracle 12 Jackson-databind, Active Iq Unified Manager, Steelstore Cloud Integrated Storage and 9 more 2021-11-17 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVE-2020-14195 4 Debian, Fasterxml, Netapp and 1 more 14 Debian Linux, Jackson-databind, Active Iq Unified Manager and 11 more 2021-11-17 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVE-2020-14061 4 Debian, Fasterxml, Netapp and 1 more 15 Debian Linux, Jackson-databind, Active Iq Unified Manager and 12 more 2021-11-17 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVE-2019-16942 6 Debian, Fasterxml, Fedoraproject and 3 more 28 Debian Linux, Jackson-databind, Fedora and 25 more 2021-07-20 7.5 HIGH 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVE-2019-16943 6 Debian, Fasterxml, Fedoraproject and 3 more 26 Debian Linux, Jackson-databind, Fedora and 23 more 2021-07-20 6.8 MEDIUM 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVE-2019-20330 4 Debian, Fasterxml, Netapp and 1 more 29 Debian Linux, Jackson-databind, Active Iq Unified Manager and 26 more 2021-07-20 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVE-2019-17531 5 Debian, Fasterxml, Netapp and 2 more 22 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 19 more 2021-07-20 6.8 MEDIUM 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVE-2018-14718 5 Debian, Fasterxml, Netapp and 2 more 26 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 23 more 2021-05-21 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-14719 5 Debian, Fasterxml, Netapp and 2 more 21 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 18 more 2021-05-21 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-7489 4 Debian, Fasterxml, Oracle and 1 more 5 Debian Linux, Jackson-databind, Communications Billing And Revenue Management and 2 more 2021-03-24 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVE-2019-14893 3 Fasterxml, Netapp, Oracle 4 Jackson-databind, Oncommand Api Services, Steelstore Cloud Integrated Storage and 1 more 2021-03-16 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVE-2018-11307 3 Fasterxml, Oracle, Redhat 8 Jackson-databind, Clusterware, Communications Instant Messaging Server and 5 more 2021-02-22 7.5 HIGH 9.8 CRITICAL
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVE-2020-8840 5 Debian, Fasterxml, Huawei and 2 more 9 Debian Linux, Jackson-databind, Oceanstor 9000 and 6 more 2021-02-22 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CVE-2019-16335 6 Debian, Fasterxml, Fedoraproject and 3 more 18 Debian Linux, Jackson-databind, Fedora and 15 more 2021-02-22 7.5 HIGH 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-17267 5 Debian, Fasterxml, Netapp and 2 more 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more 2021-02-22 7.5 HIGH 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVE-2019-14540 6 Debian, Fasterxml, Fedoraproject and 3 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2021-02-22 7.5 HIGH 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2020-11620 4 Debian, Fasterxml, Netapp and 1 more 18 Debian Linux, Jackson-databind, Active Iq Unified Manager and 15 more 2021-02-22 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVE-2020-11619 4 Debian, Fasterxml, Netapp and 1 more 21 Debian Linux, Jackson-databind, Active Iq Unified Manager and 18 more 2021-02-22 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).