Fasterxml Jackson-Databind vulnerabilities

70 known vulnerabilities affecting fasterxml/jackson-databind.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL26HIGH41MEDIUM3

Vulnerabilities

Page 1 of 4

CVE-2023-35116MEDIUMCVSS 4.7fixed in 2.16.02023-06-14

CVE-2023-35116 [MEDIUM] CWE-770 CVE-2023-35116: jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified i jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an ex

nvd

CVE-2021-46877HIGHCVSS 7.5≥ 2.10.0, < 2.12.6v2.13.02023-03-18

CVE-2021-46877 [HIGH] CWE-770 CVE-2021-46877: jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to ca jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

nvd

CVE-2020-10650HIGHCVSS 8.1fixed in 2.9.10.4v2.10.02022-12-26

CVE-2020-10650 [HIGH] CWE-502 CVE-2020-10650: A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauth A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

nvd

CVE-2022-42003HIGHCVSS 7.5fixed in 2.12.7.1≥ 2.13.0, < 2.13.4.12022-10-02

CVE-2022-42003 [HIGH] CWE-502 CVE-2022-42003: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

nvd

CVE-2022-42004HIGHCVSS 7.5fixed in 2.12.7.1≥ 2.13.0, < 2.13.42022-10-02

CVE-2022-42004 [HIGH] CWE-502 CVE-2022-42004: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a ch In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

nvd

CVE-2020-36518HIGHCVSS 7.5fixed in 2.12.6.1≥ 2.13.0, < 2.13.2.12022-03-11

CVE-2020-36518 [HIGH] CWE-787 CVE-2020-36518: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a lar jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

nvd

CVE-2021-20190HIGHCVSS 8.1fixed in 2.6.7.5≥ 2.7.0, < 2.9.10.72021-01-19

CVE-2021-20190 [HIGH] CWE-502 CVE-2021-20190: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between s A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

nvd

CVE-2020-36179HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07

CVE-2020-36179 [HIGH] CWE-502 CVE-2020-36179: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36183HIGHCVSS 8.1≥ 2.0.0., < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07

CVE-2020-36183 [HIGH] CWE-502 CVE-2020-36183: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

nvd

CVE-2020-36182HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07

CVE-2020-36182 [HIGH] CWE-502 CVE-2020-36182: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36180HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07

CVE-2020-36180 [HIGH] CWE-502 CVE-2020-36180: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36189HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36189 [HIGH] CWE-502 CVE-2020-36189: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

nvd

CVE-2020-36184HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36184 [HIGH] CWE-502 CVE-2020-36184: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

nvd

CVE-2020-36186HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36186 [HIGH] CWE-502 CVE-2020-36186: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

nvd

CVE-2020-36187HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36187 [HIGH] CWE-502 CVE-2020-36187: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

nvd

CVE-2020-36181HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36181 [HIGH] CWE-502 CVE-2020-36181: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36188HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36188 [HIGH] CWE-502 CVE-2020-36188: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

nvd

CVE-2020-36185HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06

CVE-2020-36185 [HIGH] CWE-502 CVE-2020-36185: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

nvd

CVE-2020-35728HIGHCVSS 8.1≥ 2.9.0, < 2.9.10.82020-12-27

CVE-2020-35728 [HIGH] CWE-502 CVE-2020-35728: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

nvd

CVE-2020-35491HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.82020-12-17

CVE-2020-35491 [HIGH] CWE-502 CVE-2020-35491: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

nvd

1 / 4Next →