Jackson Databind is vulnerable to deserialization of untrusted data. The vulnerability exists in Set
function in SubTypeValidator.java
when handling interactions related to class ignite-jta which allows an attacker to inject and execute malicious codes.
CPE | Name | Operator | Version |
---|---|---|---|
jackson-databind | le | 2.9.10.3 | |
jackson-databind | le | 2.9.10.3 |
github.com/advisories/GHSA-rpr3-cw39-3pxh
github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
github.com/FasterXML/jackson-databind/issues/2658
github.com/FasterXML/jackson-databind/pull/2864
lists.debian.org/debian-lts-announce/2023/04/msg00032.html
medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpuoct2022.html