Unsafe Deserialization in jackson-databind

2021-12-0919:16:42

Google

osv.dev

0.003 Low

EPSS

Percentile

66.1%

JSON

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CPENameOperatorVersion
com.fasterxml.jackson.core:jackson-databindeq2.9.10.3
com.fasterxml.jackson.core:jackson-databindeq2.4.1.1
com.fasterxml.jackson.core:jackson-databindeq2.6.6
com.fasterxml.jackson.core:jackson-databindeq2.9.0.pr3
com.fasterxml.jackson.core:jackson-databindeq2.4.6.1
com.fasterxml.jackson.core:jackson-databindeq2.7.7
com.fasterxml.jackson.core:jackson-databindeq2.4.5.1
com.fasterxml.jackson.core:jackson-databindeq2.6.7
com.fasterxml.jackson.core:jackson-databindeq2.8.0.rc1
com.fasterxml.jackson.core:jackson-databindeq2.4.0-rc3

Name	Operator	Version
com.fasterxml.jackson.core:jackson-databind	eq	2.9.10.3
com.fasterxml.jackson.core:jackson-databind	eq	2.4.1.1
com.fasterxml.jackson.core:jackson-databind	eq	2.6.6
com.fasterxml.jackson.core:jackson-databind	eq	2.9.0.pr3
com.fasterxml.jackson.core:jackson-databind	eq	2.4.6.1
com.fasterxml.jackson.core:jackson-databind	eq	2.7.7
com.fasterxml.jackson.core:jackson-databind	eq	2.4.5.1
com.fasterxml.jackson.core:jackson-databind	eq	2.6.7
com.fasterxml.jackson.core:jackson-databind	eq	2.8.0.rc1
com.fasterxml.jackson.core:jackson-databind	eq	2.4.0-rc3