Insecure deserialization In jackson-databind
Description
Arbitrary Code Execution in jackson-databind FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 14 | 2.9.8-1 | ||
debian 11 | 2.9.8-1 | ||
debian 12 | 2.9.8-1 | ||
debian 13 | 2.9.8-1 | ||
 maven | 2.9.7, 2.8.11.3, 2.7.9.5 |
Aliases
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.