Fasterxml Jackson-Databind vulnerabilities
78 known vulnerabilities affecting fasterxml/jackson-databind.
Total CVEs
78
CISA KEV
0
Public exploits
2
Exploited in wild
3
Severity breakdown
CRITICAL26HIGH44MEDIUM8
Vulnerabilities
Page 2 of 4
CVE-2020-25649P3HIGHCVSS 7.5≥ 2.6.0, < 2.6.7.4≥ 2.9.0, < 2.9.10.7+2 more2020-12-03
CVE-2020-25649 [HIGH] CWE-611 CVE-2020-25649: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured prope
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
nvdosv
CVE-2020-35728P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82020-12-27
CVE-2020-35728 [HIGH] CWE-502 CVE-2020-35728: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
nvdosv
CVE-2019-12384P3MEDIUMCVSS 5.9≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.6+2 more2019-06-24
CVE-2019-12384 [MEDIUM] CWE-502 CVE-2019-12384: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
nvdosv
CVE-2018-5968P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.2+2 more2018-01-22
CVE-2018-5968 [HIGH] CVE-2018-5968: FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
nvdosv
CVE-2019-14540P3CRITICALCVSS 9.8≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.8.11.5+1 more2019-09-15
CVE-2019-14540 [CRITICAL] CWE-502 CVE-2019-14540: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
nvdosv
CVE-2018-19360P3CRITICALCVSS 9.8≥ 2.6.0, ≤ 2.6.7.2≥ 2.7.0, < 2.7.9.5+2 more2019-01-02
CVE-2018-19360 [CRITICAL] CWE-502 CVE-2018-19360: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
nvdosv
CVE-2018-19362P3CRITICALCVSS 9.8≥ 2.6.0, ≤ 2.6.7.2≥ 2.7.0, < 2.7.9.5+2 more2019-01-02
CVE-2018-19362 [CRITICAL] CWE-502 CVE-2018-19362: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
nvdosv
CVE-2019-20330P3CRITICALCVSS 9.8≥ 2.0.0, < 2.7.9.7≥ 2.8.0, < 2.8.11.5+1 more2020-01-03
CVE-2019-20330 [CRITICAL] CWE-502 CVE-2019-20330: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
nvdosv
CVE-2018-11307P3CRITICALCVSS 9.8≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.4+2 more2019-07-09
CVE-2018-11307 [CRITICAL] CWE-502 CVE-2018-11307: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default ty
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
nvdosv
CVE-2018-19361P3CRITICALCVSS 9.8≥ 2.6.0, ≤ 2.6.7.2≥ 2.7.0, < 2.7.9.5+2 more2019-01-02
CVE-2018-19361 [CRITICAL] CWE-502 CVE-2018-19361: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leve
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
nvdosv
CVE-2021-20190P3HIGHCVSS 8.1fixed in 2.6.7.5≥ 2.7.0, < 2.9.10.7+1 more2021-01-19
CVE-2021-20190 [HIGH] CWE-502 CVE-2021-20190: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between s
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
nvdosv
CVE-2018-12023P3HIGHCVSS 7.5≥ 2.7.0, < 2.7.9.4≥ 2.8.0, < 2.8.11.2+1 more2019-03-21
CVE-2018-12023 [HIGH] CWE-502 CVE-2018-12023: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When De
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
nvdosv
CVE-2020-36188P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36188 [HIGH] CWE-502 CVE-2020-36188: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
nvdosv
CVE-2020-36184P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36184 [HIGH] CWE-502 CVE-2020-36184: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
nvdosv
CVE-2020-14060P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.52020-06-14
CVE-2020-14060 [HIGH] CWE-502 CVE-2020-14060: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
nvdosv
CVE-2026-54512P3HIGHCVSS 8.1≥ 2.10.0, < 2.18.8≥ 2.19.0, < 2.21.4+4 more2026-06-23
CVE-2026-54512 [HIGH] CWE-184 CVE-2026-54512: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic
nvd
CVE-2018-12022P3HIGHCVSS 7.5≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.4+2 more2019-03-21
CVE-2018-12022 [HIGH] CWE-502 CVE-2018-12022: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When De
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the servic
nvdosv
CVE-2020-35491P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.82020-12-17
CVE-2020-35491 [HIGH] CWE-502 CVE-2020-35491: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
nvdosv
CVE-2019-16335P3CRITICALCVSS 9.8≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.8.11.5+1 more2019-09-15
CVE-2019-16335 [CRITICAL] CVE-2019-16335: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
nvdosv
CVE-2019-17267P3CRITICALCVSS 9.8≥ 2.0.0, < 2.8.11.5≥ 2.9.0, < 2.9.102019-10-07
CVE-2019-17267 [CRITICAL] CWE-502 CVE-2019-17267: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
nvdosv