Unsafe Deserialization in jackson-databind
High severity
GitHub Reviewed
Published
Dec 9, 2021
to the GitHub Advisory Database
•
Updated Sep 14, 2023
Package
Affected versions
>= 2.7.00, < 2.9.10.8
>= 2.0.0, < 2.6.7.5
Patched versions
2.9.10.8
2.6.7.5
Description
Published by the National Vulnerability Database
Jan 7, 2021
Reviewed
Mar 18, 2021
Published to the GitHub Advisory Database
Dec 9, 2021
Last updated
Sep 14, 2023
FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
References