CVE-2020-24616 – com.fasterxml.jackson.core:jackson-databind

Package

Manager: maven
Name: com.fasterxml.jackson.core:jackson-databind
Vulnerable Version: >=2.0.0 <2.9.10.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.03783 pctl0.87618

Details

Code Injection in jackson-databind This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Metadata

Created: 2021-12-09T19:14:51Z
Modified: 2022-04-22T18:19:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-h3cw-g4mq-c5x2/GHSA-h3cw-g4mq-c5x2.json
CWE IDs: ["CWE-502", "CWE-94"]
Alternative ID: GHSA-h3cw-g4mq-c5x2
Finding: F416
Auto approve: 1