ghsa-5949-rw7g-wx7w
Vulnerability from github
Published
2021-01-20 21:20
Modified
2024-03-15 00:16
Severity
Summary
Deserialization of untrusted data in jackson-databind
Details
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "ranges": [ { "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.7" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.6.7.5" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-20190" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-01-20T04:44:51Z", "nvd_published_at": "2021-01-19T17:15:00Z", "severity": "HIGH" }, "details": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "id": "GHSA-5949-rw7g-wx7w", "modified": "2024-03-15T00:16:03Z", "published": "2021-01-20T21:20:15Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2854" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0008" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Deserialization of untrusted data in jackson-databind" }
Loading...