Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

https://github.com/FasterXML/jackson-databind/issues/2854

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://security.netapp.com/advisory/ntap-20210219-0008/

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2022-31139 Vulnerability in maven package io.github.karlatemp:unsafe-accessor

CVE-2021-39147 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2023-50449 Vulnerability in maven package com.jfinal:jfinal

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-parent

CVE-2021-21172 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Mailing List NVD-CWE-noinfo