Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://github.com/FasterXML/jackson-databind/issues/2854

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://security.netapp.com/advisory/ntap-20210219-0008/

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2023-37460 Vulnerability in maven package org.codehaus.plexus:plexus-archiver

CVE-2014-3600 Vulnerability in maven package org.apache.activemq:activemq-client

CVE-2021-32013 Vulnerability in npm package xlsx

CVE-2022-28355 Vulnerability in maven package org.scala-js:scalajs-library_2.12

CVE-2021-23346 Vulnerability in npm package html-parse-stringify2

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Mailing List NVD-CWE-noinfo