MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1jNmgtNHFncC0zN3Fo

High EPSS: 0.09511% (0.92466 Percentile) EPSS:

Permalink JSON

Deserialization of untrusted data in Jackson Databind

Affected Packages	Affected Versions	Fixed Versions
maven:com.fasterxml.jackson.core:jackson-databind	>= 2.9.0, <= 2.9.10.4	2.9.10.5
23,566 Dependent packages 244,221 Dependent repositories Affected Version Ranges All affected versions 2.9.0, 2.9.1-0.1, 2.9.1-0.2, 2.9.1-0.3, 2.9.1-0.4 All unaffected versions 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.18.1, 2.18.2, 2.18.3, 2.18.4, 2.19.0, 2.19.1, 2.19.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

References:

Identifiers

GHSA-mc6h-4qgp-37qh

CVE-2020-14195

Risk

Severity

High

EPSS

EPSS Percentage: 0.09511

EPSS Percentile: 0.92466

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/FasterXML/jackson-databind

Date and time

Published

about 5 years ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories