CVSS: 9.8EPSS: 1%CPEs: 61EXPL: 0CVE-2019-14379 – jackson-databind: default typing mishandling leading to remote code execution
https://notcve.org/view.php?id=CVE-2019-14379
29 Jul 2019 — SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. El archivo SubTypeValidator.java en jackson-databind de FasterXML en versiones anteriores a la 2.9.9.2 maneja inapropiadamente la escritura predeterminada cuando se usa ehcache (debido a net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lo que conlleva a la ejecuc... • http://seclists.org/fulldisclosure/2022/Mar/23 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.1EPSS: 51%CPEs: 10EXPL: 2CVE-2019-12384 – jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
https://notcve.org/view.php?id=CVE-2019-12384
24 Jun 2019 — FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. FasterXML jackson-databind versión 2.x anterior a 2.9.9.1, podría permitir a los atacantes dirigir una variedad de impactos al aprovechar un fallo al bloquear la deserialización polimórfica de la clase core-logback. Dependiendo del contenido del classp... • https://github.com/jas502n/CVE-2019-12384 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 19%CPEs: 5EXPL: 1CVE-2019-12814 – jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
https://notcve.org/view.php?id=CVE-2019-12814
19 Jun 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. Se descubrió un problema de tipificación polimórfica en FasterXML jackson-databind 2.x hasta la 2.9.9. Cuando la escritura prede... • https://github.com/Al1ex/CVE-2019-12814 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 15%CPEs: 6EXPL: 3CVE-2019-12086 – jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
https://notcve.org/view.php?id=CVE-2019-12086
17 May 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj... • https://github.com/motoyasu-saburi/CVE-2019-12086-jackson-databind-file-read • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 12%CPEs: 14EXPL: 0CVE-2018-11307 – jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
https://notcve.org/view.php?id=CVE-2018-11307
17 Apr 2019 — An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. Se detectó un problema en jackson-databind versiones 2.0.0 hasta 2.9.5 de FasterXML. El uso de escritura predeterminada de Jackson junto con una clase de gadget de iBatis permite la exfiltración de contenido. • https://access.redhat.com/errata/RHSA-2019:0782 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 3%CPEs: 14EXPL: 0CVE-2018-12022 – jackson-databind: improper polymorphic deserialization of types from Jodd-db library
https://notcve.org/view.php?id=CVE-2018-12022
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Def... • http://www.securityfocus.com/bid/107585 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 4%CPEs: 13EXPL: 0CVE-2018-12023 – jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
https://notcve.org/view.php?id=CVE-2018-12023
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente... • http://www.securityfocus.com/bid/105659 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 6%CPEs: 24EXPL: 0CVE-2018-19360 – jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
https://notcve.org/view.php?id=CVE-2018-19360
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase axis2-transport-jms de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deseri... • http://www.securityfocus.com/bid/107985 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 14%CPEs: 58EXPL: 0CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malic... • http://www.securityfocus.com/bid/106601 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 3%CPEs: 41EXPL: 0CVE-2018-14720 – jackson-databind: exfiltration/XXE in some JDK classes
https://notcve.org/view.php?id=CVE-2018-14720
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes realizar ataques de tipo XML External Entity Injection (XXE) aprovechando su incapacidad de bloquear clases JDK no especificadas de deserialización polimórfica. Red Hat Decision Manager is an open source decis... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-502: Deserialization of Untrusted Data CWE-611: Improper Restriction of XML External Entity Reference •