com.fasterxml.jackson.core:jackson-databind

Maven69 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting com.fasterxml.jackson.core:jackson-databindpage 1 of 2

CVE-2017-15095CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.2
2018-02-06
vulnerable: 2.7.0 ... 2.7.9.1 (12 versions)
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the …
CVE-2017-17485CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.2
2018-01-10
vulnerable: 2.0.0 ... 2.7.9.1 (82 versions)
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON…
CVE-2017-7525CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.9
2018-02-06
vulnerable: 2.8.0 ... 2.8.8.1 (10 versions)
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method…
CVE-2018-11307CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.6
2019-07-09
vulnerable: 2.9.0 ... 2.9.5 (10 versions)
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVE-2018-12022HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.6
2019-03-21
vulnerable: 2.9.0 ... 2.9.5 (10 versions)
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd fra…
CVE-2018-12023HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.6
2019-03-21
vulnerable: 2.9.0 ... 2.9.5 (10 versions)
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker…
CVE-2018-14718CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-01-02
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-14719CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.5
2019-01-02
vulnerable: 2.0.0 ... 2.7.9.4 (82 versions)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14720CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.5
2019-01-02
vulnerable: 2.7.0 ... 2.7.9.4 (15 versions)
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14721CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.7.9.5
2019-01-02
vulnerable: 2.7.0 ... 2.7.9.4 (15 versions)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-19360CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.5
2019-01-02
vulnerable: 2.7.0 ... 2.7.9.4 (15 versions)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-19361CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.11.3
2019-01-02
vulnerable: 2.8.0 ... 2.8.9 (15 versions)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-19362CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-01-02
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-5968HIGHCVSS 8.1EG 8.1✓ Fixed in 2.7.9.5
2018-01-22
vulnerable: 2.0.0 ... 2.7.9.4 (85 versions)
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two differe…
CVE-2018-7489CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.5
2018-02-26
vulnerable: 2.0.0 ... 2.6.7.4 (66 versions)
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending ma…
CVE-2019-12086HIGHCVSS 7.5EG 7.5✓ Fixed in 2.6.7.3
2019-05-17
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connec…
CVE-2019-12384MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.6.7.3
2019-06-24
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execut…
CVE-2019-12814MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.6.7.3
2019-06-19
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or …
CVE-2019-14379CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.6
2019-07-29
vulnerable: 2.0.0 ... 2.7.9.5 (86 versions)
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2019-14439HIGHCVSS 7.5EG 7.5✓ Fixed in 2.6.7.3
2019-07-30
vulnerable: 2.0.0 ... 2.6.7.2 (64 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has…
CVE-2019-14540CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-09-15
vulnerable: 2.0.0 ... 2.6.7.2 (64 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-14892CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.10
2020-03-02
vulnerable: 2.9.0 ... 2.9.9.3 (17 versions)
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this…
CVE-2019-14893CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.10
2020-03-02
vulnerable: 2.9.0 ... 2.9.9.3 (17 versions)
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type…
CVE-2019-16335CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-09-15
vulnerable: 2.0.0 ... 2.6.7.2 (64 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-16942CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-10-01
vulnerable: 2.0.0 ... 2.6.7.2 (61 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commo…
CVE-2019-16943CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-10-01
vulnerable: 2.0.0 ... 2.6.7.2 (64 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy…
CVE-2019-17267CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.11.5
2019-10-07
vulnerable: 2.0.0 ... 2.8.9 (107 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVE-2019-17531CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.7.3
2019-10-12
vulnerable: 2.0.0 ... 2.6.7.2 (64 versions)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apach…
CVE-2019-20330CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.10.2
2020-01-03
vulnerable: 2.9.0 ... 2.9.9.3 (19 versions)
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVE-2020-10650HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.4
2022-12-26
vulnerable: 2.0.0 ... 2.9.9.3 (130 versions)
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.igni…
CVE-2020-10672HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-18
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVE-2020-10673HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.7.4
2020-03-18
vulnerable: 2.0.0 ... 2.6.7.3 (62 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVE-2020-10968HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-26
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVE-2020-10969HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-26
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVE-2020-11111HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-31
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11112HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-31
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11113HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.10.4
2020-03-31
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-11619HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.4
2020-04-07
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVE-2020-11620HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.4
2020-04-07
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVE-2020-14060HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.5
2020-06-14
vulnerable: 2.9.0 ... 2.9.9.3 (22 versions)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVE-2020-14061HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.5
2020-06-14
vulnerable: 2.9.0 ... 2.9.9.3 (22 versions)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectio…
CVE-2020-14062HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.5
2020-06-14
vulnerable: 2.9.0 ... 2.9.9.3 (22 versions)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVE-2020-14195HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.5
2020-06-16
vulnerable: 2.9.0 ... 2.9.9.3 (22 versions)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVE-2020-24616HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.6
2020-08-25
vulnerable: 2.0.0 ... 2.9.9.3 (129 versions)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-24750HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.6
2020-09-17
vulnerable: 2.7.0 ... 2.9.9.3 (62 versions)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-25649HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.5.1
2020-12-03
vulnerable: 2.10.0 ... 2.10.5 (9 versions)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2020-35490HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.8
2020-12-17
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-35491HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.8
2020-12-17
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-35728HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.8
2020-12-27
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax…
CVE-2020-36179HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.5
2021-01-07
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Check whether com.fasterxml.jackson.core:jackson-databind is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.fasterxml.jackson.core:jackson-databind CVEs against the assets you own.

Start Free Scan →