Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jackson\-Databind
(Fasterxml)| Repositories | https://github.com/FasterXML/jackson-databind |
| #Vulnerabilities | 76 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-01-02 | CVE-2018-19360 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | Debian_linux, Jackson\-Databind, Business_process_management_suite, Primavera_p6_enterprise_project_portfolio_management, Primavera_unifier, Retail_workforce_management_software, Webcenter_portal, Automation_manager, Decision_manager, Jboss_bpm_suite, Jboss_brms, Openshift_container_platform | 9.8 | ||
| 2019-01-02 | CVE-2018-14720 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | Debian_linux, Jackson\-Databind, Banking_platform, Communications_billing_and_revenue_management, Enterprise_manager_for_virtualization, Financial_services_analytical_applications_infrastructure, Jdeveloper, Primavera_unifier, Retail_merchandising_system, Webcenter_portal, Jboss_enterprise_application_platform, Openshift_container_platform | 9.8 | ||
| 2019-01-02 | CVE-2018-14721 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | Debian_linux, Jackson\-Databind, Banking_platform, Communications_billing_and_revenue_management, Enterprise_manager_for_virtualization, Financial_services_analytical_applications_infrastructure, Jdeveloper, Primavera_unifier, Retail_merchandising_system, Webcenter_portal, Jboss_enterprise_application_platform, Openshift_container_platform | 10.0 | ||
| 2019-01-02 | CVE-2018-19361 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | Debian_linux, Jackson\-Databind, Business_process_management_suite, Primavera_p6_enterprise_project_portfolio_management, Primavera_unifier, Retail_workforce_management_software, Webcenter_portal, Automation_manager, Decision_manager, Jboss_bpm_suite, Jboss_brms, Openshift_container_platform | 9.8 | ||
| 2019-01-02 | CVE-2018-19362 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | Debian_linux, Jackson\-Databind, Business_process_management_suite, Primavera_p6_enterprise_project_portfolio_management, Primavera_unifier, Retail_workforce_management_software, Webcenter_portal, Automation_manager, Decision_manager, Jboss_bpm_suite, Jboss_brms, Openshift_container_platform | 9.8 | ||
| 2019-03-21 | CVE-2018-12022 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | Debian_linux, Jackson\-Databind, Fedora, Jd_edwards_enterpriseone_tools, Retail_merchandising_system, Automation_manager, Decision_manager, Jboss_brms, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On | 7.5 | ||
| 2019-03-21 | CVE-2018-12023 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | Debian_linux, Jackson\-Databind, Fedora, Jd_edwards_enterpriseone_tools, Retail_merchandising_system, Automation_manager, Decision_manager, Jboss_brms, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On | 7.5 | ||
| 2019-05-17 | CVE-2019-12086 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of... | Debian_linux, Jackson\-Databind | 7.5 | ||
| 2019-06-19 | CVE-2019-12814 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Debian_linux, Jackson\-Databind | 5.9 | ||
| 2019-06-24 | CVE-2019-12384 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Debian_linux, Jackson\-Databind, Enterprise_linux | 5.9 |