Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Fasterxml Subscribe
Total 74 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-5968 4 Debian, Fasterxml, Netapp and 1 more 10 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 7 more 2021-01-21 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVE-2017-17485 4 Debian, Fasterxml, Netapp and 1 more 9 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 6 more 2021-01-19 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVE-2018-1000873 3 Fasterxml, Netapp, Oracle 6 Jackson-modules-java8, Active Iq Unified Manager, Clusterware and 3 more 2021-01-19 4.3 MEDIUM 6.5 MEDIUM
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2019-12384 3 Debian, Fasterxml, Redhat 3 Debian Linux, Jackson-databind, Enterprise Linux 2020-10-20 4.3 MEDIUM 5.9 MEDIUM
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CVE-2019-12814 2 Debian, Fasterxml 2 Debian Linux, Jackson-databind 2020-10-20 4.3 MEDIUM 5.9 MEDIUM
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CVE-2018-19362 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-19361 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-14721 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Banking Platform and 9 more 2020-08-31 7.5 HIGH 10.0 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Banking Platform and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-19360 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2016-7051 1 Fasterxml 1 Jackson-dataformat-xml 2019-10-10 5.0 MEDIUM 8.6 HIGH
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
CVE-2016-3720 2 Fasterxml, Fedoraproject 2 Jackson-dataformat-xml, Fedora 2019-10-10 7.5 HIGH 9.8 CRITICAL
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.