CVE-2021-20190 — Deserialization of Untrusted Data in Jackson-databind

CWE-502 — Deserialization of Untrusted Data8 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.5%

top 33.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Apache Nifi Debian Linux +1 more

Timeline

PublishedJan 19

Latest updateJul 15

Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶NVDfasterxml/jackson-databind2.7.0 — 2.9.10.7+1

▶Debianfasterxml/jackson-databind< 2.12.1-1+3

▶CVEListV5fasterxml/jackson-databindjackson-databind 2.9.10.7

▶NVDapache/nifi1.7.0 — 1.12.1

▶NVDoracle/commerce_guided_search_and_experience_manager11.3.2

Also affects: Debian Linux 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Deserialization of untrusted data in jackson-databind↗2021-01-20

▶

GHSA

Deserialization of untrusted data in jackson-databind↗2021-01-20

▶

CVEList

CVE-2021-20190: A flaw was found in jackson-databind before 2↗2021-01-19

▶

OSV

CVE-2021-20190: A flaw was found in jackson-databind before 2↗2021-01-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Experience Manage (jackson-databind) — CVE-2021-20190↗2021-07-15

▶

Red Hat

jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing↗2021-01-16

▶

Debian

CVE-2021-20190: jackson-databind - A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the i...↗2021

▶