Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://github.com/FasterXML/jackson-databind/issues/2854

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://security.netapp.com/advisory/ntap-20210219-0008/

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2022-25760 Vulnerability in npm package accesslog

CVE-2021-43090 Vulnerability in maven package com.predic8:soa-model-core

CVE-2023-26487 Vulnerability in npm package vega

CVE-2016-10531 Vulnerability in maven package org.webjars.bower:marked

CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-api

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Mailing List NVD-CWE-noinfo