Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://github.com/FasterXML/jackson-databind/issues/2854

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://security.netapp.com/advisory/ntap-20210219-0008/

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2020-36188 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-17532 Vulnerability in maven package org.apache.servicecomb:foundation-config

CVE-2022-25873 Vulnerability in maven package org.webjars.npm:vuetify

CVE-2022-40764 Vulnerability in npm package snyk-go-plugin

CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Mailing List NVD-CWE-noinfo