Описание
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Отчет
This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.
Меры по смягчению последствий
jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | jackson-databind | Not affected | ||
| Cryostat 2 | jackson-databind | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat A-MQ Online | jackson-databind | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | jackson-databind | Affected | ||
| Red Hat build of Apicurio Registry 2 | jackson-databind | Affected | ||
| Red Hat build of Debezium 1 | jackson-databind | Affected | ||
| Red Hat build of Debezium 2 | jackson-databind | Affected | ||
| Red Hat build of OptaPlanner 8 | jackson-databind | Will not fix | ||
| Red Hat Decision Manager 7 | jackson-databind | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
4.7 Medium
CVSS3
Связанные уязвимости
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
jackson-databind through 2.15.2 allows attackers to cause a denial of ...
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
Уязвимость библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
4.7 Medium
CVSS3