Описание
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| devel | not-affected | 2.10.0-2 |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/bionic | needed | |
| esm-apps/focal | not-affected | 2.10.0-2 |
| esm-apps/jammy | not-affected | 2.10.0-2 |
| esm-apps/noble | not-affected | 2.10.0-2 |
| esm-apps/xenial | not-affected | code not present |
| esm-infra-legacy/trusty | needs-triage |
Показывать по
Ссылки на источники
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
A flaw was discovered in jackson-databind in versions before 2.9.10, 2 ...
Polymorphic deserialization of malicious object in jackson-databind
Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3