Fluid Attacks Database

Description

Deserialization of untrusted data in jackson-databind A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.fasterxml.jackson.core:jackson-databind	>=2.7.0 <2.9.10.7 \|\| >=0 <2.6.7.5	2.9.10.7, 2.6.7.5
debian 12	jackson-databind	>=0 <2.12.1-1	2.12.1-1
debian 13	jackson-databind	>=0 <2.12.1-1	2.12.1-1
debian 14	jackson-databind	>=0 <2.12.1-1	2.12.1-1
debian 11	jackson-databind	>=0 <2.12.1-1	2.12.1-1
maven	org.apache.nifi:nifi	>=1.7.0 <=1.12.1	1.13.0

Aliases

1. CVE-2021-201902. NVD-2021-201903. OSV-2021-201904. OSV-DEBIAN-2021-201905. GCVE-2021-201906. lists.debian.org7. SECURITY-TRACKER-CVE-2021-20190

References

1. https://github.com/FasterXML/jackson-databind/issues/28542. https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e883. https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a4. https://bugzilla.redhat.com/show_bug.cgi?id=19166335. https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E6. https://security.netapp.com/advisory/ntap-20210219-00087. https://www.oracle.com//security-alerts/cpujul2021.html8. https://github.com/dawetmaster/CVE-2021-20190-jackson-databind-vulnerable