Insecure deserialization In jackson-databind
Description
jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 2.9.1-1 | ||
debian 13 | 2.9.1-1 | ||
debian 14 | 2.9.1-1 | ||
debian 11 | 1.9.13-2 | ||
debian 12 | 1.9.13-2 | ||
debian 13 | 1.9.13-2 | ||
debian 14 | 1.9.13-2 | ||
 maven | 2.8.11, 2.9.4, 2.6.7.3, 2.7.9.2 | ||
debian 11 | 2.9.1-1 |
Aliases
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.