CVE-2021-20190
published 2021-01-19CVE-2021-20190: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from…
PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
7.48%
93.7th percentile
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | 1.7.0 – 1.12.1 | — |
| debian | debian_linux | — | — |
| debian | jackson-databind | < jackson-databind 2.12.1-1 (bookworm) | jackson-databind 2.12.1-1 (bookworm) |
| fasterxml | jackson-databind | < 2.6.7.5 | 2.6.7.5 |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 0 < 2.12.1-1 | 2.12.1-1 |
| fasterxml | jackson-databind | >= 0 < 2.12.1-1 | 2.12.1-1 |
| fasterxml | jackson-databind | >= 0 < 2.12.1-1 | 2.12.1-1 |
| fasterxml | jackson-databind | >= 0 < 2.12.1-1 | 2.12.1-1 |
| fasterxml | jackson-databind | >= 2.7.0 < 2.9.10.7 | 2.9.10.7 |
| oracle | commerce_guided_search_and_experience_manager | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:N/AC:M/Au:N/C:P/I:P/A:C
osv8.1HIGH
vendor_debian8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Commerce Risk Matrix: Experience Manage (jackson-databind) — CVE-2021-20190
vendor_oracle·2021-07-15·CVSS 8.1
CVE-2021-20190 [HIGH] Oracle Oracle Commerce Risk Matrix: Experience Manage (jackson-databind) — CVE-2021-20190
Oracle Oracle Commerce Risk Matrix: Experience Manage (jackson-databind) vulnerability
CVE: CVE-2021-20190
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Red Hat
jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
vendor_redhat·2021-01-16·CVSS 8.1
CVE-2021-20190 [HIGH] CWE-502 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact:
* JBoss Data Grid 7
* Business Pr
Debian
CVE-2021-20190: jackson-databind - A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the i...
vendor_debian·2021·CVSS 8.1
CVE-2021-20190 [HIGH] CVE-2021-20190: jackson-databind - A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the i...
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Scope: local
bookworm: resolved (fixed in 2.12.1-1)
bullseye: resolved (fixed in 2.12.1-1)
forky: resolved (fixed in 2.12.1-1)
sid: resolved (fixed in 2.12.1-1)
trixie: resolved (fixed in 2.12.1-1)
OSV
Deserialization of untrusted data in jackson-databind
osv·2021-01-20
CVE-2021-20190 [HIGH] Deserialization of untrusted data in jackson-databind
Deserialization of untrusted data in jackson-databind
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
GHSA
Deserialization of untrusted data in jackson-databind
ghsa·2021-01-20
CVE-2021-20190 [HIGH] CWE-502 Deserialization of untrusted data in jackson-databind
Deserialization of untrusted data in jackson-databind
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
OSV
CVE-2021-20190: A flaw was found in jackson-databind before 2
osv·2021-01-19·CVSS 8.1
CVE-2021-20190 [HIGH] CVE-2021-20190: A flaw was found in jackson-databind before 2
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
No detection rules found.
No public exploits indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1916633https://github.com/FasterXML/jackson-databind/issues/2854https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlhttps://security.netapp.com/advisory/ntap-20210219-0008/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1916633https://github.com/FasterXML/jackson-databind/issues/2854https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlhttps://security.netapp.com/advisory/ntap-20210219-0008/https://www.oracle.com//security-alerts/cpujul2021.html
2021-01-19
Published