com.fasterxml.jackson.core:jackson-databind
Maven69 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting com.fasterxml.jackson.core:jackson-databindpage 2 of 2
- CVE-2020-36180HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-07
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36181HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-06
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36182HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-07
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36183HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-07
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
- CVE-2020-36184HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.82021-01-06
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-36185HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.82021-01-06
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-36186HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.82021-01-06
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
- CVE-2020-36187HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.10.82021-01-06
vulnerable: 2.0.0 ... 2.9.9.3 (131 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
- CVE-2020-36188HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-06
vulnerable: 2.0.0 ... 2.6.7.4 (63 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
- CVE-2020-36189HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-06
vulnerable: 2.0.0 ... 2.6.7.4 (66 versions)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
- CVE-2020-36518HIGHCVSS 7.5EG 7.5✓ Fixed in 2.12.6.12022-03-11
vulnerable: 2.0.0 ... 2.9.9.3 (160 versions)
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2020-8840CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.10.32020-02-10
vulnerable: 2.9.0 ... 2.9.9.3 (20 versions)
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
- CVE-2020-9546CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.10.42020-03-02
vulnerable: 2.9.0 ... 2.9.9.3 (21 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
- CVE-2020-9547CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.72020-03-02
vulnerable: 2.0.0 ... 2.7.9.6 (84 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
- CVE-2020-9548CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.9.72020-03-02
vulnerable: 2.0.0 ... 2.7.9.6 (84 versions)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
- CVE-2021-20190HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.7.52021-01-19
vulnerable: 2.0.0 ... 2.6.7.4 (66 versions)
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system avai…
- CVE-2021-46877HIGHCVSS 7.5EG 7.5✓ Fixed in 2.13.12023-03-18
vulnerable: 2.13.0
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
- CVE-2022-42003HIGHCVSS 7.5EG 7.5✓ Fixed in 2.13.4.22022-10-02
vulnerable: 2.13.0 ... 2.13.4.1 (8 versions)
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feat…
- CVE-2022-42004HIGHCVSS 7.5EG 7.5✓ Fixed in 2.13.42022-10-02
vulnerable: 2.13.0 ... 2.13.3 (6 versions)
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain custom…
Check whether com.fasterxml.jackson.core:jackson-databind is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.fasterxml.jackson.core:jackson-databind CVEs against the assets you own.
Start Free Scan →