Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://github.com/FasterXML/jackson-databind/issues/2854

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://security.netapp.com/advisory/ntap-20210219-0008/

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

Related Vulnerabilities

CVE-2013-0239 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2020-4059 Vulnerability in npm package mversion

CVE-2022-41936 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rest-server

CVE-2022-22984 Vulnerability in npm package @snyk/snyk-hex-plugin

CVE-2020-15500 Vulnerability in npm package tileserver-gl

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Issue Tracking Mailing List