Version 2.18.2
jackson-databind
General data-binding functionality for Jackson: works on core streaming API
Install Instructions
mvn install jackson-databind
Language Java
Package URL (purl) pkg:maven/com.fasterxml.jackson.core:jackson-databind@2.18.2
Find jackson-databind vulnerabilities in your supply chain.
jackson-databind Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2018-11307 | High 9.8 | CWE-502 | 0.16423 | 0.95983 |
|
| CVE-2018-12022 | High 7.5 | CWE-502 | 0.00698 | 0.80075 |
|
| CVE-2018-12023 | High 7.5 | CWE-502 | 0.00622 | 0.78709 |
|
| CVE-2018-14718 | High 9.8 | CWE-502 | 0.12423 | 0.95405 |
|
| CVE-2018-14719 | High 9.8 | CWE-502 | 0.02358 | 0.89491 |
|
| CVE-2018-14720 | High 9.8 | CWE-611, CWE-502 | 0.00452 | 0.7486 |
|
| CVE-2018-14721 | High 10 | CWE-918 | 0.00814 | 0.81602 |
|
| CVE-2018-19360 | High 9.8 | CWE-502 | 0.00686 | 0.79887 |
|
| CVE-2018-19361 | High 9.8 | CWE-502 | 0.00686 | 0.79887 |
|
| CVE-2018-19362 | High 9.8 | CWE-502 | 0.00686 | 0.79887 |
|
| CVE-2018-7489 | High 9.8 | CWE-184, CWE-502 | 0.71919 | 0.98253 |
|
| CVE-2019-12086 | High 7.5 | CWE-502 | 0.00307 | 0.69499 |
|
| CVE-2019-12384 | Medium 5.9 | CWE-502 | 0.3889 | 0.97262 |
|
| CVE-2019-12814 | Medium 5.9 | CWE-502 | 0.02928 | 0.90578 |
|
| CVE-2019-14379 | High 9.8 | CWE-915, CWE-1321, CWE-502 | 0.01161 | 0.84636 |
|
| CVE-2019-14439 | High 7.5 | CWE-502 | 0.00166 | 0.53681 |
|
| CVE-2019-14540 | High 9.8 | CWE-502 | 0.00669 | 0.79603 |
|
| CVE-2019-14892 | High 9.8 | CWE-200, CWE-502 | 0.00331 | 0.70748 |
|
| CVE-2019-14893 | High 9.8 | CWE-200, CWE-502 | 0.02131 | 0.88904 |
|
| CVE-2019-16335 | High 9.8 | CWE-502 | 0.00548 | 0.77291 |
|
| CVE-2019-16942 | High 9.8 | CWE-502 | 0.00602 | 0.78336 |
|
| CVE-2019-16943 | High 9.8 | CWE-502 | 0.00602 | 0.78336 |
|
| CVE-2019-17267 | High 9.8 | CWE-502 | 0.00581 | 0.77935 |
|
| CVE-2019-17531 | High 9.8 | CWE-502 | 0.00581 | 0.77935 |
|
| CVE-2019-20330 | High 9.8 | CWE-502 | 0.00386 | 0.72861 |
|
| CVE-2020-10650 | High 8.1 | CWE-502 | 0.00756 | 0.80895 |
|
| CVE-2020-10672 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-10673 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-10968 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-10969 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-11111 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-11112 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-11113 | High 8.8 | CWE-502 | 0.00482 | 0.75607 |
|
| CVE-2020-11619 | High 8.1 | CWE-502 | 0.01987 | 0.88481 |
|
| CVE-2020-11620 | High 8.1 | CWE-502 | 0.02079 | 0.88771 |
|
| CVE-2020-14060 | High 8.1 | CWE-502 | 0.03185 | 0.90953 |
|
| CVE-2020-14061 | High 8.1 | CWE-502 | 0.0147 | 0.86454 |
|
| CVE-2020-14062 | High 8.1 | CWE-502 | 0.01409 | 0.86178 |
|
| CVE-2020-14195 | High 8.1 | CWE-502 | 0.01694 | 0.87402 |
|
| CVE-2020-24616 | High 8.1 | CWE-94, CWE-502 | 0.0073 | 0.80523 |
|
| CVE-2020-24750 | High 8.1 | CWE-502 | 0.00439 | 0.74435 |
|
| CVE-2020-25649 | High 7.5 | CWE-611 | 0.00247 | 0.63865 |
|
| CVE-2020-35490 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-35491 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-35728 | High 8.1 | CWE-502 | 0.00657 | 0.7941 |
|
| CVE-2020-36179 | High 8.1 | CWE-502 | 0.0083 | 0.81762 |
|
| CVE-2020-36180 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36181 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36182 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36183 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36184 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36185 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36186 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36187 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36188 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36189 | High 8.1 | CWE-502 | 0.00329 | 0.70625 |
|
| CVE-2020-36518 | High 7.5 | CWE-787 | 0.0034 | 0.71084 |
|
| CVE-2020-8840 | High 9.8 | CWE-502 | 0.00933 | 0.82789 |
|
| CVE-2020-9546 | High 9.8 | CWE-502 | 0.00405 | 0.73393 |
|
| CVE-2020-9547 | High 9.8 | CWE-502 | 0.00434 | 0.74308 |
|
| CVE-2020-9548 | High 9.8 | CWE-502 | 0.00478 | 0.75506 |
|
| CVE-2021-20190 | High 8.1 | CWE-502 | 0.00257 | 0.64619 |
|
| CVE-2022-42003 | High 7.5 | CWE-502 | 0.0029 | 0.68554 |
|
| CVE-2022-42004 | High 7.5 | CWE-502 | 0.00289 | 0.68518 |
|
| CVE-2017-15095 | High 9.8 | CWE-184, CWE-502 | 0.13261 | 0.95544 |
|
| CVE-2017-17485 | High 9.8 | CWE-94, CWE-502 | 0.2126 | 0.9642 |
|
| CVE-2017-7525 | High 9.8 | CWE-502, CWE-184 | 0.7827 | 0.98465 |
|
| CVE-2018-5968 | High 8.1 | CWE-502, CWE-184 | 0.0927 | 0.94682 |
|
| CVE-2021-46877 | High 7.5 | CWE-400 | 0.00121 | 0.46815 |
|
jackson-databind Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2022-42004 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2022-42003 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2021-46877 | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | 2.10.3, 2.10.2, 2.10.0, 2.10.5, 2.10.4, 2.10.1, 2.13.0, 2.12.1 (Show all) | Patch → 2.12.7.1 |
| CVE-2021-20190 | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-9548 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-9547 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-9546 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-8840 | FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36518 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36189 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36188 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36187 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36186 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36185 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36184 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36183 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36182 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36181 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36180 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-36179 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-35728 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-35491 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-35490 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-25649 | A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0, 2.8.1 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-24750 | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-24616 | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-14195 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-14062 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-14061 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-14060 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-11620 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-11619 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-11113 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-11112 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-11111 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-10969 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-10968 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-10673 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-10672 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2020-10650 | A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-20330 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-17531 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-17267 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-16943 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-16942 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-14893 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. | 2.9.4, 2.9.3, 2.9.6, 2.9.2, 2.9.0, 2.9.5, 2.9.1, 2.9.7 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-14892 | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-14540 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-14439 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-14379 | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-12814 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-12384 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2019-12086 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-7489 | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-5968 | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0, 2.6.0-rc1 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-19362 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-19361 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.8.1, 2.7.9.1, 2.9.3, 2.9.6 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-19360 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.8.1, 2.7.9.1, 2.9.3, 2.9.6 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-14721 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.8.1, 2.7.9.1, 2.9.3, 2.9.6 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-14720 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.8.1, 2.7.9.1, 2.9.3, 2.9.6 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-14719 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-14718 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-12023 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | 2.9.4, 2.7.1-1, 2.7.4, 2.7.7, 2.7.9.1, 2.9.3, 2.7.9.3, 2.7.8 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-12022 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2018-11307 | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. | 2.9.4, 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0 (Show all) | Patch → 2.12.7.1 |
| CVE-2017-7525 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.3, 2.6.0, 2.6.0-rc1, 2.2.0-rc1 (Show all) | Patch → 2.12.7.1 |
| CVE-2017-17485 | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0, 2.6.0-rc1 (Show all) | Patch → 2.12.7.1 |
| CVE-2017-15095 | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | 2.4.4, 2.7.1-1, 2.7.4, 2.7.7, 2.6.7.1, 2.6.3, 2.6.0, 2.6.0-rc1 (Show all) | Patch → 2.12.7.1 |
Instantly see if these jackson-databind vulnerabilities affect your code.
Dependencies
Packages using versions of jackson-databind affected by its vulnerabilities
| Dependent Packages |
|---|
| net.bytebuddy:byte-buddy:${version.bytebuddy} |
| net.bytebuddy:byte-buddy-agent:${version.bytebuddy} |
| com.fasterxml.jackson.core:jackson-annotations:${jackson.version.annotations} |
| com.fasterxml.jackson.core:jackson-core:${jackson.version.core} |
| org.junit.jupiter:junit-jupiter: |
| org.junit.jupiter:junit-jupiter-api: |
| org.assertj:assertj-core: |
| com.google.guava:guava-testlib:31.1-jre |
| javax.measure:jsr-275:0.9.1 |
| org.openjdk.jol:jol-core:0.16 |
| org.mockito:mockito-core:${version.mockito} |
| org.mockito:mockito-inline:${version.mockito} |