Vulnerabilities > Fasterxml
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-03-02 | CVE-2019-14893 | Deserialization of Untrusted Data vulnerability in multiple products A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. | 9.8 |
2020-03-02 | CVE-2019-14892 | Deserialization of Untrusted Data vulnerability in multiple products A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. | 9.8 |
2020-03-02 | CVE-2020-9548 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | 9.8 |
2020-03-02 | CVE-2020-9547 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | 9.8 |
2020-03-02 | CVE-2020-9546 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | 9.8 |
2020-02-10 | CVE-2020-8840 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | 9.8 |
2020-01-03 | CVE-2019-20330 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | 9.8 |
2019-11-18 | CVE-2019-10172 | XXE vulnerability in multiple products A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. | 7.5 |
2019-10-12 | CVE-2019-17531 | Deserialization of Untrusted Data vulnerability in multiple products A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. | 9.8 |
2019-10-07 | CVE-2019-17267 | Deserialization of Untrusted Data vulnerability in multiple products A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. | 9.8 |