Description
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1916633
https://github.com/FasterXML/jackson-databind/issues/2854
https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
https://security.netapp.com/advisory/ntap-20210219-0008/
https://www.oracle.com//security-alerts/cpujul2021.html
Related Vulnerabilities
CVE-2023-35839 Vulnerability in maven package org.noear:solon.serialization.hessian
CVE-2020-28865 Vulnerability in maven package com.github.kfcfans:powerjob
CVE-2023-30526 Vulnerability in maven package org.jenkins-ci.plugins:reportportal
CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-mysql-cdc
CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:catalina