cbcvebase.

Fasterxml Jackson-Databind vulnerabilities

78 known vulnerabilities affecting fasterxml/jackson-databind.

Total CVEs
78
CISA KEV
0
Public exploits
2
Exploited in wild
3
Severity breakdown
CRITICAL26HIGH44MEDIUM8

Vulnerabilities

Page 3 of 4
CVE-2020-14062P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.52020-06-14
CVE-2020-14062 [HIGH] CWE-502 CVE-2020-14062: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
nvdosv
CVE-2020-36183P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07
CVE-2020-36183 [HIGH] CWE-502 CVE-2020-36183: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
nvdosv
CVE-2020-24616P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.62020-08-25
CVE-2020-24616 [HIGH] CWE-502 CVE-2020-24616: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
nvdosv
CVE-2026-54513P3HIGHCVSS 8.1≥ 2.10.0, < 2.18.8≥ 2.19.0, < 2.21.4+4 more2026-06-23
CVE-2026-54513 [HIGH] CWE-184 CVE-2026-54513: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the config
nvd
CVE-2019-14439P3HIGHCVSS 7.5≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.6+2 more2019-07-30
CVE-2019-14439 [HIGH] CWE-502 CVE-2019-14439: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occ A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
nvdosv
CVE-2020-35490P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.82020-12-17
CVE-2020-35490 [HIGH] CWE-502 CVE-2020-35490: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
nvdosv
CVE-2020-24750P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.62020-09-17
CVE-2020-24750 [HIGH] CWE-502 CVE-2020-24750: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
nvdosv
CVE-2020-36185P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36185 [HIGH] CWE-502 CVE-2020-36185: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
nvdosv
CVE-2020-36186P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36186 [HIGH] CWE-502 CVE-2020-36186: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
nvdosv
CVE-2020-14061P3HIGHCVSS 8.1≥ 2.9.0, < 2.9.10.52020-06-14
CVE-2020-14061 [HIGH] CWE-502 CVE-2020-14061: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-a
nvdosv
CVE-2020-10673P3HIGHCVSS 8.8≥ 2.0.0, < 2.6.7.4≥ 2.9.0, < 2.9.10.42020-03-18
CVE-2020-10673 [HIGH] CWE-502 CVE-2020-10673: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
nvdosv
CVE-2020-9546P3CRITICALCVSS 9.8≥ 2.0.0, < 2.7.9.7≥ 2.8.0, < 2.8.11.6+1 more2020-03-02
CVE-2020-9546 [CRITICAL] CWE-502 CVE-2020-9546: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
nvdosv
CVE-2020-36187P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36187 [HIGH] CWE-502 CVE-2020-36187: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
nvdosv
CVE-2026-50193P3HIGHCVSS 7.5≥ 2.10.0, < 2.14.0v>= 2.10.0, < 2.14.02026-06-23
CVE-2026-50193 [HIGH] CWE-400 CVE-2026-50193: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or mo
nvd
CVE-2020-36180P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07
CVE-2020-36180 [HIGH] CWE-502 CVE-2020-36180: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
nvdosv
CVE-2020-36182P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-07
CVE-2020-36182 [HIGH] CWE-502 CVE-2020-36182: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
nvdosv
CVE-2020-36181P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36181 [HIGH] CWE-502 CVE-2020-36181: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
nvdosv
CVE-2020-36189P3HIGHCVSS 8.1≥ 2.0.0, < 2.6.7.5≥ 2.7.0, < 2.9.10.82021-01-06
CVE-2020-36189 [HIGH] CWE-502 CVE-2020-36189: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
nvdosv
CVE-2020-11113P3HIGHCVSS 8.8≥ 2.0.0, < 2.9.10.42020-03-31
CVE-2020-11113 [HIGH] CWE-502 CVE-2020-11113: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
nvdosv
CVE-2020-11620P3HIGHCVSS 8.1≥ 2.9.0, < 2.9.10.42020-04-07
CVE-2020-11620 [HIGH] CWE-502 CVE-2020-11620: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
nvdosv
Fasterxml Jackson-Databind vulnerabilities | cvebase