Jackson Databind

jackson-databind

Vendor: Fasterxml • 70 CVEs

CVEs (70)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-19360 4Debian FasterxmlOracle+1 more 12Automation Manager Business Process Management SuiteDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-14721 4Debian FasterxmlOracle+1 more 12Banking Platform Communications Billing And Revenue ManagementDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720 4Debian FasterxmlOracle+1 more 12Banking Platform Communications Billing And Revenue ManagementDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14719 5Debian FasterxmlNetapp+2 more 20Banking Platform Business Process Management SuiteClusterware+17 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14718 5Debian FasterxmlNetapp+2 more 25Banking Platform Business Process Management SuiteCommunications Billing And Revenue Management+22 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-7489 4Debian FasterxmlOracle+1 more 5Communications Billing And Revenue Management Communications Instant Messaging ServerDebian Linux+2 more Nov 21, 2024 Feb 26, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploi...Show more FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.Show less
CVE-2017-7525 5Debian FasterxmlNetapp+2 more 21Banking Platform Communications Billing And Revenue ManagementCommunications Communications Policy Management+18 more Nov 21, 2024 Feb 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to t...Show more A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.Show less
CVE-2017-15095 5Debian FasterxmlNetapp+2 more 24Banking Platform ClusterwareCommunications Billing And Revenue Management+21 more Nov 21, 2024 Feb 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readV...Show more A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.Show less
CVE-2018-5968 4Debian FasterxmlNetapp+1 more 9Debian Linux E Series Santricity Os ControllerE Series Santricity Web Services Proxy+6 more Nov 21, 2024 Jan 22, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploita...Show more FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.Show less
CVE-2017-17485 4Debian FasterxmlNetapp+1 more 8Debian Linux E Series Santricity Os ControllerE Series Santricity Web Services Proxy+5 more Aug 27, 2025 Jan 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending malic...Show more FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.Show less

Previous 1 2 34