Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://github.com/FasterXML/jackson-databind/issues/2854

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://security.netapp.com/advisory/ntap-20210219-0008/

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2023-35839 Vulnerability in maven package org.noear:solon.serialization.hessian

CVE-2022-23647 Vulnerability in npm package prismjs

CVE-2022-36914 Vulnerability in maven package org.jenkins-ci.plugins:files-found-trigger

CVE-2023-35151 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rest-server

CVE-2020-28441 Vulnerability in npm package conf-cfg-ini

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Mailing List NVD-CWE-noinfo