Description
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1916633
https://github.com/FasterXML/jackson-databind/issues/2854
https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
https://security.netapp.com/advisory/ntap-20210219-0008/
https://www.oracle.com//security-alerts/cpujul2021.html
Related Vulnerabilities
CVE-2020-36188 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-17532 Vulnerability in maven package org.apache.servicecomb:foundation-config
CVE-2022-25873 Vulnerability in maven package org.webjars.npm:vuetify
CVE-2022-40764 Vulnerability in npm package snyk-go-plugin
CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap