Filtered by vendor Fasterxml Subscriptions
Filtered by product Jackson-databind Subscriptions
Total 70 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-14721 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-11-21 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720 4 Debian, Fasterxml, Oracle and 1 more 21 Debian Linux, Jackson-databind, Banking Platform and 18 more 2024-11-21 N/A
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14719 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 28 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14718 5 Debian, Fasterxml, Netapp and 2 more 36 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 33 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-11-21 N/A
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-11-21 7.5 High
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-11307 3 Fasterxml, Oracle, Redhat 18 Jackson-databind, Clusterware, Communications Instant Messaging Server and 15 more 2024-11-21 9.8 Critical
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVE-2017-7525 5 Debian, Fasterxml, Netapp and 2 more 30 Debian Linux, Jackson-databind, Oncommand Balance and 27 more 2024-11-21 9.8 Critical
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVE-2017-17485 4 Debian, Fasterxml, Netapp and 1 more 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more 2024-11-21 9.8 Critical
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVE-2017-15095 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more 2024-11-21 9.8 Critical
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.