RSS   Podatności dla 'Jackson'   RSS

2020-08-25
 
CVE-2020-24616

CWE-502
 

 
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

 
2018-02-06
 
CVE-2017-7525

CWE-502
 

 
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

 
 
CVE-2017-15095

CWE-502
 

 
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

 
2018-01-10
 
CVE-2017-17485

CWE-502
 

 
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

 
2017-04-14
 
CVE-2016-7051

CWE-918
 

 
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.

 
2016-06-10
 
CVE-2016-3720

CWE-noinfo
 

 
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

 

 >>> Vendor: Fasterxml 5 Produkty
Jackson
Jackson-databind
Jackson-dataformat-xml
Jackson-mapper-asl
Jackson-dataformats-binary


Copyright 2024, cxsecurity.com

 

Back to Top