Skip to main content

Jackson Databind

50 CVEs product

Monthly

CVE-2026-59889 MEDIUM PATCH This Month

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.

Authentication Bypass Jackson Databind
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-59888 MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54517 Maven MEDIUM PATCH GHSA This Month

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. No public exploit code has been identified and this is not listed in CISA KEV; however, applications relying on @JsonView for security-critical field-level access control - such as role or permission gating - are directly and completely bypassed.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54516 Maven MEDIUM PATCH GHSA This Month

Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The GHSA advisory characterizes the impact as property tampering and mass assignment; maintainers rate it minor despite a reporter-assessed HIGH severity.

Deserialization Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-54515 Maven MEDIUM PATCH GHSA This Month

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. No public exploit tool or CISA KEV listing has been identified at time of analysis; vendor-released patches (2.18.9, 2.21.5, 3.1.4) were published 2026-06-04.

Information Disclosure Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-54514 Maven MEDIUM PATCH GHSA This Month

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.

SSRF Deserialization Jackson Databind Suse
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54513 Maven HIGH PATCH GHSA This Week

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. No public exploit identified at time of analysis, but the upstream fix and full root-cause writeup are public on GitHub.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-54512 Maven HIGH POC PATCH GHSA This Week

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.

Canonical Deserialization Jackson Databind Suse
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-50193 Maven MEDIUM PATCH GHSA This Month

Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Denial Of Service Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 4.0
6.3
EPSS
0.5%
CVE-2023-35116 MEDIUM This Month

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. Rated medium severity (CVSS 4.7). No vendor patch available.

Denial Of Service Jackson Databind
NVD GitHub
CVSS 3.1
4.7
EPSS
0.4%
CVE-2022-42004 Maven HIGH POC PATCH This Week

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind Quarkus Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-42003 Maven HIGH POC PATCH This Week

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind Quarkus Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2021-20190 Maven HIGH PATCH This Week

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Oncommand Api Services Oncommand Insight +4
NVD GitHub
CVSS 3.1
8.1
EPSS
7.5%
CVE-2020-36183 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Cloud Backup Service Level Manager +42
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
2.2%
CVE-2020-35728 Maven HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.

Apache Oracle Deserialization Jackson Databind Debian Linux +38
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
41.1%
CVE-2020-35491 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +23
NVD GitHub
CVSS 3.1
8.1
EPSS
9.5%
CVE-2020-35490 Maven HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.7%
CVE-2020-25649 Maven HIGH PATCH This Week

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jackson Databind Oncommand Api Services Oncommand Workflow Automation Service Level Manager +35
NVD GitHub
CVSS 3.1
7.5
EPSS
17.6%
CVE-2020-24750 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm Application Testing Suite Autovue For Agile Product Lifecycle Management +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-24616 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Agile Plm Application Testing Suite +21
NVD GitHub
CVSS 3.1
8.1
EPSS
9.3%
CVE-2020-14195 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage Debian Linux +10
NVD GitHub
CVSS 3.1
8.1
EPSS
4.5%
CVE-2020-14060 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +9
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
8.7%
CVE-2020-14062 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +10
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-14061 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Oracle Deserialization Jackson Databind Active Iq Unified Manager Steelstore Cloud Integrated Storage +12
NVD GitHub
CVSS 3.1
8.1
EPSS
4.4%
CVE-2020-11620 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind Debian Linux Active Iq Unified Manager +15
NVD GitHub
CVSS 3.1
8.1
EPSS
5.6%
CVE-2020-11619 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Jackson Databind Debian Linux Active Iq Unified Manager +18
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
1.3%
CVE-2020-11113 Maven HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 60.7%.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +29
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
60.7%
CVE-2020-11112 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +28
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
6.8%
CVE-2020-11111 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +22
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-10969 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-10968 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
3.5%
CVE-2020-10673 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage Agile Plm +27
NVD GitHub
CVSS 3.1
8.8
EPSS
8.0%
CVE-2020-10672 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Steelstore Cloud Integrated Storage +28
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2020-9548 Maven CRITICAL POC PATCH THREAT Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Debian Linux Agile Plm +21
NVD GitHub
CVSS 3.1
9.8
EPSS
18.3%
CVE-2020-9547 Maven CRITICAL POC PATCH THREAT Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Debian Linux Autovue For Agile Product Lifecycle Management +12
NVD GitHub
CVSS 3.1
9.8
EPSS
18.7%
CVE-2020-9546 Maven CRITICAL PATCH GHSA Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Active Iq Unified Manager Debian Linux +28
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-8840 Maven CRITICAL PATCH Act Now

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jackson Databind Debian Linux Oncommand Api Services +5
NVD GitHub
CVSS 3.1
9.8
EPSS
26.6%
CVE-2019-17531 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Jboss Enterprise Application Platform +19
NVD GitHub
CVSS 3.1
9.8
EPSS
5.3%
CVE-2019-17267 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Oncommand Api Services Oncommand Workflow Automation +8
NVD GitHub
CVSS 3.1
9.8
EPSS
4.6%
CVE-2019-16943 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Fedora Jboss Enterprise Application Platform +22
NVD GitHub
CVSS 3.1
9.8
EPSS
4.9%
CVE-2019-16942 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Fedora +25
NVD GitHub
CVSS 3.1
9.8
EPSS
5.7%
CVE-2019-16335 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Fedora Debian Linux Oncommand Api Services +13
NVD GitHub
CVSS 3.1
9.8
EPSS
4.9%
CVE-2019-14540 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Oncommand Api Services Oncommand Workflow Automation Steelstore Cloud Integrated Storage +15
NVD GitHub
CVSS 3.1
9.8
EPSS
10.7%
CVE-2019-14439 Maven HIGH PATCH This Week

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Fedora Drill +14
NVD GitHub
CVSS 3.1
7.5
EPSS
10.8%
CVE-2019-14379 Maven CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE Jackson Databind Debian Linux +22
NVD GitHub
CVSS 3.1
9.8
EPSS
8.0%
CVE-2019-12384 Maven MEDIUM PATCH This Month

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Jackson Databind Debian Linux Enterprise Linux
NVD GitHub
CVSS 3.1
5.9
EPSS
45.2%
CVE-2019-12814 Maven MEDIUM PATCH This Month

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux
NVD GitHub
CVSS 3.1
5.9
EPSS
11.0%
CVE-2019-12086 Maven HIGH POC PATCH THREAT This Week

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Deserialization Jackson Databind Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
21.9%
CVE-2018-7489 Maven CRITICAL PATCH Act Now

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Deserialization Jackson Databind Debian Linux Communications Billing And Revenue Management +2
NVD GitHub
CVSS 3.0
9.8
EPSS
20.1%
CVE-2018-5968 Maven HIGH PATCH This Week

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Jackson Databind Debian Linux Openshift Container Platform +6
NVD GitHub
CVSS 3.1
8.1
EPSS
7.0%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.

Authentication Bypass Jackson Databind
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. No public exploit code has been identified and this is not listed in CISA KEV; however, applications relying on @JsonView for security-critical field-level access control - such as role or permission gating - are directly and completely bypassed.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The GHSA advisory characterizes the impact as property tampering and mass assignment; maintainers rate it minor despite a reporter-assessed HIGH severity.

Deserialization Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. No public exploit tool or CISA KEV listing has been identified at time of analysis; vendor-released patches (2.18.9, 2.21.5, 3.1.4) were published 2026-06-04.

Information Disclosure Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.

SSRF Deserialization Jackson Databind +1
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. No public exploit identified at time of analysis, but the upstream fix and full root-cause writeup are public on GitHub.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.

Canonical Deserialization Jackson Databind +1
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Denial Of Service Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. Rated medium severity (CVSS 4.7). No vendor patch available.

Denial Of Service Jackson Databind
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind +3
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Denial Of Service Jackson Databind +3
NVD GitHub
EPSS 7% CVSS 8.1
HIGH PATCH This Week

A flaw was found in jackson-databind before 2.9.10.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +6
NVD GitHub
EPSS 2% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +44
NVD GitHub VulDB
EPSS 41% CVSS 8.1
HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.

Apache Oracle Deserialization +40
NVD GitHub VulDB
EPSS 9% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +25
NVD GitHub
EPSS 8% CVSS 8.1
HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind +24
NVD GitHub
EPSS 18% CVSS 7.5
HIGH PATCH This Week

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jackson Databind Oncommand Api Services +37
NVD GitHub
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm +24
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +23
NVD GitHub
EPSS 5% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Jackson Databind Active Iq Unified Manager +12
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +11
NVD GitHub VulDB
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +12
NVD GitHub VulDB
EPSS 4% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Oracle Deserialization Jackson Databind +14
NVD GitHub
EPSS 6% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Deserialization Jackson Databind +17
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Deserialization Jackson Databind +20
NVD GitHub VulDB
EPSS 61% CVSS 8.8
HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 60.7%.

Apache Deserialization Jackson Databind +31
NVD GitHub VulDB
EPSS 7% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +30
NVD GitHub VulDB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +24
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 4% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 8% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +29
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +30
NVD GitHub
EPSS 18% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +23
NVD GitHub
EPSS 19% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +14
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +30
NVD GitHub VulDB
EPSS 27% CVSS 9.8
CRITICAL PATCH Act Now

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Jackson Databind +7
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +21
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +10
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +24
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +27
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Fedora +15
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Oncommand Api Services +17
NVD GitHub
EPSS 11% CVSS 7.5
HIGH PATCH This Week

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +16
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE +24
NVD GitHub
EPSS 45% CVSS 5.9
MEDIUM PATCH This Month

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Jackson Databind +2
NVD GitHub
EPSS 11% CVSS 5.9
MEDIUM PATCH This Month

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux
NVD GitHub
EPSS 22% CVSS 7.5
HIGH POC PATCH THREAT This Week

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Deserialization Jackson Databind +1
NVD GitHub
EPSS 20% CVSS 9.8
CRITICAL PATCH Act Now

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Deserialization Jackson Databind +4
NVD GitHub
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Jackson Databind +8
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy