Filtered by vendor Fasterxml Subscriptions
Filtered by product Jackson-databind Subscriptions
Total 70 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-16335 6 Debian, Fasterxml, Fedoraproject and 3 more 26 Debian Linux, Jackson-databind, Fedora and 23 more 2024-08-05 9.8 Critical
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-14893 4 Fasterxml, Netapp, Oracle and 1 more 12 Jackson-databind, Oncommand Api Services, Steelstore Cloud Integrated Storage and 9 more 2024-08-05 9.8 Critical
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14892 3 Apache, Fasterxml, Redhat 13 Geode, Jackson-databind, Decision Manager and 10 more 2024-08-05 9.8 Critical
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14540 6 Debian, Fasterxml, Fedoraproject and 3 more 28 Debian Linux, Jackson-databind, Fedora and 25 more 2024-08-05 9.8 Critical
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 20 Drill, Debian Linux, Jackson-databind and 17 more 2024-08-05 7.5 High
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2019-14379 7 Apple, Debian, Fasterxml and 4 more 37 Xcode, Debian Linux, Jackson-databind and 34 more 2024-08-05 9.8 Critical
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2019-12814 3 Debian, Fasterxml, Redhat 12 Debian Linux, Jackson-databind, Amq Streams and 9 more 2024-08-04 5.9 Medium
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CVE-2019-12384 3 Debian, Fasterxml, Redhat 12 Debian Linux, Jackson-databind, Amq Streams and 9 more 2024-08-04 5.9 Medium
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CVE-2019-12086 3 Debian, Fasterxml, Redhat 12 Debian Linux, Jackson-databind, Amq Streams and 9 more 2024-08-04 7.5 High
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
CVE-2020-36518 5 Debian, Fasterxml, Netapp and 2 more 48 Debian Linux, Jackson-databind, Active Iq Unified Manager and 45 more 2024-08-04 7.5 High
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2020-36182 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36180 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36189 5 Debian, Fasterxml, Netapp and 2 more 42 Debian Linux, Jackson-databind, Cloud Backup and 39 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CVE-2020-36185 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-36186 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVE-2020-36184 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-36183 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVE-2020-36188 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVE-2020-36181 5 Debian, Fasterxml, Netapp and 2 more 46 Debian Linux, Jackson-databind, Service Level Manager and 43 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36179 5 Debian, Fasterxml, Netapp and 2 more 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more 2024-08-04 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.