GHSA-r3gr-cxrf-hg25
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r3gr-cxrf-hg25
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r3gr-cxrf-hg25/GHSA-r3gr-cxrf-hg25.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r3gr-cxrf-hg25
- Aliases
- Published
- 2021-12-09T19:15:11Z
- Modified
- 2024-06-25T14:20:21.323050Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Serialization gadgets exploit in jackson-databind
- Details
-
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-502", "CWE-913" ], "nvd_published_at": "2020-12-17T19:15:00Z", "github_reviewed_at": "2021-04-08T21:05:38Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-35491
- https://github.com/FasterXML/jackson-databind/issues/2986
- https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d
- https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210122-0005
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Affected packages
Maven / com.fasterxml.jackson.core:jackson-databind
Package
- Name
- com.fasterxml.jackson.core:jackson-databind
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.core/jackson-databind
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0-rc1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0-rc1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0-rc1
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.1.1
2.4.1.2
2.4.1.3
2.4.2
2.4.3
2.4.4
2.4.5
2.4.5.1
2.4.6
2.4.6.1
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.7.1
2.6.7.2
2.6.7.3
2.6.7.4
2.6.7.5
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.0
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3
2.7.9.4
2.7.9.5
2.7.9.6
2.7.9.7
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.8.10
2.8.11
2.8.11.1
2.8.11.2
2.8.11.3
2.8.11.4
2.8.11.5
2.8.11.6
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.9.1
2.9.9.2
2.9.9.3
2.9.10
2.9.10.1
2.9.10.2
2.9.10.3
2.9.10.4
2.9.10.5
2.9.10.6
2.9.10.7