Insecure deserialization In com.fasterxml.jackson.core:jackson-databind
Description
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 | ||
 debian 14 | 2.11.1-1 | ||
maven | 2.8.11.5, 2.9.10.3 | ||
debian 12 | 2.11.1-1 | ||
debian 11 | 2.11.1-1 | ||
debian 13 | 2.11.1-1 | ||
 rpm rhel8 | 0:10.8.3-1.module+el8.2.0+5925+bad5981a |
Aliases
1. 2. 3. 4. 5. 6. 7.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47.