Filtered by vendor Fasterxml Subscriptions
Total 77 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-3894 1 Fasterxml 1 Jackson-dataformats-text 2024-09-27 5.8 Medium
Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2017-7525 5 Debian, Fasterxml, Netapp and 2 more 30 Debian Linux, Jackson-databind, Oncommand Balance and 27 more 2024-09-17 9.8 Critical
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVE-2017-15095 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more 2024-09-16 9.8 Critical
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVE-2020-28491 4 Fasterxml, Oracle, Quarkus and 1 more 11 Jackson-dataformats-binary, Weblogic Server, Quarkus and 8 more 2024-09-16 7.5 High
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
CVE-2022-40152 3 Fasterxml, Redhat, Xstream Project 8 Woodstox, Camel Quarkus, Camel Spring Boot and 5 more 2024-09-16 6.5 Medium
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2016-7051 1 Fasterxml 1 Jackson-dataformat-xml 2024-08-06 8.6 High
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
CVE-2016-3720 2 Fasterxml, Fedoraproject 2 Jackson-dataformat-xml, Fedora 2024-08-06 9.8 Critical
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
CVE-2017-17485 4 Debian, Fasterxml, Netapp and 1 more 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more 2024-08-05 9.8 Critical
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVE-2018-1000873 4 Fasterxml, Netapp, Oracle and 1 more 7 Jackson-modules-java8, Active Iq Unified Manager, Clusterware and 4 more 2024-08-05 6.5 Medium
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVE-2018-19361 4 Debian, Fasterxml, Oracle and 1 more 22 Debian Linux, Jackson-databind, Business Process Management Suite and 19 more 2024-08-05 N/A
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-19360 4 Debian, Fasterxml, Oracle and 1 more 22 Debian Linux, Jackson-databind, Business Process Management Suite and 19 more 2024-08-05 N/A
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-19362 4 Debian, Fasterxml, Oracle and 1 more 22 Debian Linux, Jackson-databind, Business Process Management Suite and 19 more 2024-08-05 N/A
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-14720 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-08-05 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14718 5 Debian, Fasterxml, Netapp and 2 more 36 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 33 more 2024-08-05 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-14719 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 28 more 2024-08-05 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14721 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-08-05 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-08-05 N/A
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-08-05 7.5 High
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-11307 3 Fasterxml, Oracle, Redhat 18 Jackson-databind, Clusterware, Communications Instant Messaging Server and 15 more 2024-08-05 9.8 Critical
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVE-2018-7489 4 Debian, Fasterxml, Oracle and 1 more 10 Debian Linux, Jackson-databind, Communications Billing And Revenue Management and 7 more 2024-08-05 N/A
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.