fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [security] (master)

[renovatebot-confluentinc]

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.fasterxml.jackson.core:jackson-databind (source)	2.9.10.5 -> 2.12.7.1

GitHub Vulnerability Alerts

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-24616

This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVE-2022-42004

In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled.

CVE-2022-42003

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.

Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures

CVE-2020-36518

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

---

Code Injection in jackson-databind

CVE-2020-24616 / GHSA-h3cw-g4mq-c5x2

More information

Details

This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-24616
• https://github.com/FasterXML/jackson-databind/issues/2814
• https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://medium.com/@​cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://security.netapp.com/advisory/ntap-20200904-0006
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-24750 / GHSA-qjw2-hr98-qgfh

More information

Details

FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-24750
• https://github.com/FasterXML/jackson-databind/issues/2798
• https://github.com/FasterXML/jackson-databind/commit/2118e71325486c68f089a9761c9d8a11b4ddd1cb
• https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f
• https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20201009-0003
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Deserialization of untrusted data in jackson-databind

BIT-nifi-2021-20190 / CVE-2021-20190 / GHSA-5949-rw7g-wx7w

More information

Details

A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-20190
• https://github.com/FasterXML/jackson-databind/issues/2854
• https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
• https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
• https://bugzilla.redhat.com/show_bug.cgi?id=1916633
• https://github.com/FasterXML/jackson-databind
• https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210219-0008
• https://www.oracle.com//security-alerts/cpujul2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

XML External Entity (XXE) Injection in Jackson Databind

CVE-2020-25649 / GHSA-288c-cq4h-88gq

More information

Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-25649
• https://github.com/FasterXML/jackson-databind/issues/2589
• https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677
• https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E
• https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@​%3Cusers.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@​%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@​%3Cissues.flink.apache.org%3E
• https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@​%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@​%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@​%3Ccommits.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@​%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@​%3Cusers.kafka.apache.org%3E
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://security.netapp.com/advisory/ntap-20210108-0007
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT
• https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@​%3Ccommits.karaf.apache.org%3E
• https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@​%3Ccommits.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@​%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E
• https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@​%3Ccommits.servicecomb.apache.org%3E
• https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@​%3Cdev.hive.apache.org%3E
• https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@​%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@​%3Ccommits.turbine.apache.org%3E
• https://github.com/FasterXML/jackson-databind
• https://bugzilla.redhat.com/show_bug.cgi?id=1887664
• https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@​%3Cuser.spark.apache.org%3E
• https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@​%3Ccommits.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@​%3Creviews.iotdb.apache.org%3E
• https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@​%3Cnotifications.iotdb.apache.org%3E
• https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@​%3Ccommits.iotdb.apache.org%3E
• https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@​%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E
• https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@​%3Cusers.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E
• https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@​%3Cdev.knox.apache.org%3E
• https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@​%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@​%3Creviews.iotdb.apache.org%3E

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36186 / GHSA-v585-23hc-c647

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36186
• https://github.com/FasterXML/jackson-databind/issues/2997
• https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36180 / GHSA-8c4j-34r4-xr8g

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36180
• https://github.com/FasterXML/jackson-databind/issues/3004
• https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36183 / GHSA-9m6f-7xcq-8vf8

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36183
• https://github.com/FasterXML/jackson-databind/issues/3003
• https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Serialization gadget exploit in jackson-databind

CVE-2020-35728 / GHSA-5r5r-6hpj-8gg9

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-35728
• https://github.com/FasterXML/jackson-databind/issues/2999
• https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://medium.com/@​cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://security.netapp.com/advisory/ntap-20210129-0007
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36185 / GHSA-8w26-6f25-cm9x

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36185
• https://github.com/FasterXML/jackson-databind/issues/2998
• https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36188 / GHSA-f9xh-2qgp-cq57

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36188
• https://github.com/FasterXML/jackson-databind/issues/2996
• https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36179 / GHSA-9gph-22xh-8x98

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36179
• https://github.com/FasterXML/jackson-databind/issues/3004
• https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@​%3Cissues.spark.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36187 / GHSA-r695-7vr9-jgc2

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36187
• https://github.com/FasterXML/jackson-databind/issues/2997
• https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36189 / GHSA-vfqx-33qm-g869

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36189
• https://github.com/FasterXML/jackson-databind/issues/2996
• https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://github.com/FasterXML/jackson-databind
• https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
• https://security.netapp.com/advisory/ntap-20210205-0005
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unsafe Deserialization in jackson-databind

CVE-2020-36184 / GHSA-m6x4-97wx-4q27

More information

Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-36184
• https://github.com/FasterXML/jackson-databind/issues/2998
• https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
• [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062