CVSS: 9.8EPSS: 8%CPEs: 16EXPL: 6CVE-2020-8840 – jackson-databind: Lacks certain xbean-reflect/JNDI blocking
https://notcve.org/view.php?id=CVE-2020-8840
10 Feb 2020 — FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. FasterXML jackson-databind versiones 2.0.0 hasta 2.9.10.2, carece de cierto bloqueo de xbean-reflect/JNDI, como es demostrado mediante org.apache.xbean.propertyeditor.JndiConverter. A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A "gadget" exploit is possible due to a lack of a Java object being blocking from being ... • https://github.com/jas502n/jackson-CVE-2020-8840 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 53EXPL: 0CVE-2019-20330 – jackson-databind: lacks certain net.sf.ehcache blocking
https://notcve.org/view.php?id=CVE-2019-20330
03 Jan 2020 — FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. FasterXML jackson-databind versiones 2.x anteriores a la versión 2.9.10.2, carece de cierto bloqueo de net.sf.ehcache. Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire ... • https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 42EXPL: 0CVE-2019-16335 – jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
https://notcve.org/view.php?id=CVE-2019-16335
15 Sep 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. PicoC versión 2.1, hay un desbordamiento de búfer en la región heap de la memoria en la función StringStrcpy en la biblioteca cstdlib/string.c cuando se llama desde ExpressionParseFunctionCall en el archivo expression.c. Red Hat Decision Manager is an open source decision management platform that combines business r... • https://access.redhat.com/errata/RHSA-2019:3200 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 7%CPEs: 52EXPL: 1CVE-2019-14540 – jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
https://notcve.org/view.php?id=CVE-2019-14540
15 Sep 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. Se detectó un problema de escritura polimórfica en FasterXML jackson-databind versiones anteriores a 2.9.10. Está relacionado con com.zaxxer.hikari.HikariConfig. Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving pla... • https://github.com/LeadroyaL/cve-2019-14540-exploit • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 10%CPEs: 45EXPL: 1CVE-2019-14439 – jackson-databind: Polymorphic typing issue related to logback/JNDI
https://notcve.org/view.php?id=CVE-2019-14439
30 Jul 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. Se detectó un problema de escritura polimórfica en jackson-databind de FasterXML versiones 2.x anteriores a 2.9.9.2. Esto ocurre cuando la Escritura Predeterminada está habilitada (globalmente o para una propiedad específica) para un endp... • https://github.com/jas502n/CVE-2019-14439 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 12%CPEs: 14EXPL: 0CVE-2018-11307 – jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
https://notcve.org/view.php?id=CVE-2018-11307
17 Apr 2019 — An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. Se detectó un problema en jackson-databind versiones 2.0.0 hasta 2.9.5 de FasterXML. El uso de escritura predeterminada de Jackson junto con una clase de gadget de iBatis permite la exfiltración de contenido. • https://access.redhat.com/errata/RHSA-2019:0782 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2018-1320 – thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class
https://notcve.org/view.php?id=CVE-2018-1320
07 Jan 2019 — Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. La librería de cliente Java de Apache Thrift, desde la versión 0.5.0 hasta la 0.11.0, puede omitir la validación de la negociación de SASL "isComplete" en la clase org.apache.thrift.transpo... • http://www.openwall.com/lists/oss-security/2019/07/24/3 • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 14%CPEs: 58EXPL: 0CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malic... • http://www.securityfocus.com/bid/106601 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 55EXPL: 0CVE-2018-14719 – jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
https://notcve.org/view.php?id=CVE-2018-14719
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear las clases blaze-ds-opt y blaze-ds-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would p... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 2%CPEs: 13EXPL: 1CVE-2018-1000873 – jackson-modules-java8: DoS due to an Improper Input Validation
https://notcve.org/view.php?id=CVE-2018-1000873
20 Dec 2018 — Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. Fasterxml Jackson, en versiones anteriores a la 2.9.8, contiene una vulnerabilidad CWE-20: validación de entradas incorrecta ... • https://bugzilla.redhat.com/show_bug.cgi?id=1665601 • CWE-20: Improper Input Validation •