cbcvebase.

Fasterxml Jackson-Databind vulnerabilities

78 known vulnerabilities affecting fasterxml/jackson-databind.

Total CVEs
78
CISA KEV
0
Public exploits
2
Exploited in wild
3
Severity breakdown
CRITICAL26HIGH44MEDIUM8

Vulnerabilities

Page 4 of 4
CVE-2020-10969P3HIGHCVSS 8.8≥ 2.7.0, < 2.7.9.7≥ 2.8.0, < 2.8.11.6+1 more2020-03-26
CVE-2020-10969 [HIGH] CWE-502 CVE-2020-10969: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
nvdosv
CVE-2020-11112P3HIGHCVSS 8.8≥ 2.0.0, < 2.9.10.42020-03-31
CVE-2020-11112 [HIGH] CWE-502 CVE-2020-11112: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
nvdosv
CVE-2020-10968P3HIGHCVSS 8.8≥ 2.9.0, < 2.9.10.42020-03-26
CVE-2020-10968 [HIGH] CWE-502 CVE-2020-10968: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
nvdosv
CVE-2020-10672P3HIGHCVSS 8.8≥ 2.9.0, < 2.9.10.42020-03-18
CVE-2020-10672 [HIGH] CWE-502 CVE-2020-10672: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
nvdosv
CVE-2020-14195P3HIGHCVSS 8.1≥ 2.9.0, < 2.9.10.52020-06-16
CVE-2020-14195 [HIGH] CWE-502 CVE-2020-14195: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
nvdosv
CVE-2020-11619P3HIGHCVSS 8.1≥ 2.0.0, < 2.9.10.42020-04-07
CVE-2020-11619 [HIGH] CWE-502 CVE-2020-11619: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
nvdosv
CVE-2019-12814P3MEDIUMCVSS 5.9≥ 2.0.0, < 2.6.7.3≥ 2.7.0, < 2.7.9.6+2 more2019-06-19
CVE-2019-12814 [MEDIUM] CWE-502 CVE-2019-12814: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Defa A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbi
nvdosv
CVE-2020-11111P3HIGHCVSS 8.8≥ 2.9.0, < 2.9.10.42020-03-31
CVE-2020-11111 [HIGH] CWE-502 CVE-2020-11111: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
nvdosv
CVE-2022-42003P3HIGHCVSS 7.5fixed in 2.12.7.1≥ 2.13.0, < 2.13.4.12022-10-02
CVE-2022-42003 [HIGH] CWE-502 CVE-2022-42003: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
nvdosv
CVE-2020-36518P3HIGHCVSS 7.5fixed in 2.12.6.1≥ 2.13.0, < 2.13.2.12022-03-11
CVE-2020-36518 [HIGH] CWE-787 CVE-2020-36518: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a lar jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
nvdosv
CVE-2022-42004P3HIGHCVSS 7.5fixed in 2.12.7.1≥ 2.13.0, < 2.13.42022-10-02
CVE-2022-42004 [HIGH] CWE-502 CVE-2022-42004: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a ch In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
nvdosv
CVE-2026-54518P3MEDIUMCVSS 6.5≥ 2.21.0, < 2.21.4≥ 3.0.0, < 3.1.4+2 more2026-06-23
CVE-2026-54518 [MEDIUM] CWE-863 CVE-2026-54518: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gat
nvd
CVE-2021-46877P3HIGHCVSS 7.5≥ 2.10.0, < 2.12.6v2.13.02023-03-18
CVE-2021-46877 [HIGH] CWE-770 CVE-2021-46877: jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to ca jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
nvdosv
CVE-2026-54516P4MEDIUMCVSS 5.3≥ 2.21.0, < 2.21.4≥ 3.0.0, < 3.1.4+2 more2026-06-23
CVE-2026-54516 [MEDIUM] CWE-915 CVE-2026-54516: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROP
nvd
CVE-2026-54515P4MEDIUMCVSS 5.3≥ 2.8.0, < 2.18.9≥ 2.19.0, < 2.21.5+5 more2026-06-23
CVE-2026-54515 [MEDIUM] CWE-915 CVE-2026-54515: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has
nvd
CVE-2026-54517P4MEDIUMCVSS 5.3≥ 2.21.0, < 2.21.4≥ 3.0.0, < 3.1.4+2 more2026-06-23
CVE-2026-54517 [MEDIUM] CWE-863 CVE-2026-54517: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(act
nvd
CVE-2026-54514P4MEDIUMCVSS 5.3≥ 2.0.0, < 2.18.8≥ 2.19.0, < 2.21.4+4 more2026-06-23
CVE-2026-54514 [MEDIUM] CWE-918 CVE-2026-54514: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An applica
nvd
CVE-2023-35116P4MEDIUMCVSS 4.7fixed in 2.16.02023-06-14
CVE-2023-35116 [MEDIUM] CWE-770 CVE-2023-35116: jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified i jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an ex
nvd
Fasterxml Jackson-Databind vulnerabilities | cvebase