Описание
Deserialization of untrusted data in jackson-databind
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-20190
- https://github.com/FasterXML/jackson-databind/issues/2854
- https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- https://bugzilla.redhat.com/show_bug.cgi?id=1916633
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210219-0008
- https://www.oracle.com//security-alerts/cpujul2021.html
Пакеты
com.fasterxml.jackson.core:jackson-databind
>= 2.7.0, < 2.9.10.7
2.9.10.7
com.fasterxml.jackson.core:jackson-databind
< 2.6.7.5
2.6.7.5
Связанные уязвимости
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...
Уязвимость библиотеки jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код