Описание
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| jackson-databind | fixed | 2.11.1-1 | package | |
| jackson-databind | fixed | 2.9.8-3+deb10u2 | buster | package |
| jackson-databind | fixed | 2.8.6-1+deb9u7 | stretch | package |
Примечания
https://github.com/FasterXML/jackson-databind/issues/2680
Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
but still an issue when Default Typing is enabled.
EPSS
Связанные уязвимости
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
jackson-databind mishandles the interaction between serialization gadgets and typing
Уязвимость компонента spring-aop библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код
EPSS