Impact
The flaw occurs in jackson‑databind’s deserialization logic where a case‑insensitive path restores properties that should have been excluded by @JsonIgnoreProperties. The ignored fields become writable again, allowing an attacker to inject data into attributes that were expected to be protected. This manipulation can alter application behavior or compromise configuration integrity, potentially leading to unauthorized actions.
Affected Systems
Impact is limited to FasterXML: jackson‑databind. All releases from 2.8.0 up to but excluding 2.18.9, 2.21.5, and 3.1.4 are vulnerable; specifically versions 2.8.0‑2.18.8, 2.21.0‑2.21.4, and 3.1.0‑3.1.3 contain the flaw.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. Without an EPSS value the exploitation probability is unclear, and the vulnerability is not listed in KEV. The likely attack vector is the ability to send crafted JSON payloads to an application that deserializes incoming data using jackson‑databind with @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) enabled or when case‑insensitive deserialization is otherwise active. Exploitation would let an attacker write to previously ignored properties, enabling data tampering or misconfiguration, but the impact is confined to the deserialized object scope.
OpenCVE Enrichment
Github GHSA