Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI2OTUtN3ZyOS1qZ2My

High EPSS: 0.02828% (0.85645 Percentile) EPSS:
Permalink JSON

Unsafe Deserialization in jackson-databind

Affected Packages Affected Versions Fixed Versions
maven:com.fasterxml.jackson.core:jackson-databind >= 2.0.0, < 2.9.10.8 2.9.10.8
23,566 Dependent packages
244,221 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.0-RC3, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.0-rc1, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.0-rc1, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.0-rc1, 2.4.0-rc2, 2.4.0-rc3, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.0-rc1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.0-rc1, 2.6.0-rc2, 2.6.0-rc3, 2.6.0-rc4, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3, 2.7.1, 2.7.1-1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.11.1, 2.8.11.2, 2.8.11.3, 2.8.11.4, 2.8.11.5, 2.8.11.6, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.9.0, 2.9.10.1, 2.9.10.2, 2.9.10.3, 2.9.10.4, 2.9.10.5, 2.9.10.6, 2.9.10.7

All unaffected versions

2.9.1, 2.9.10.8, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.18.1, 2.18.2, 2.18.3, 2.18.4, 2.18.5, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

References:

Identifiers

GHSA-r695-7vr9-jgc2

CVE-2020-36187

Risk

Severity

High

EPSS

EPSS Percentage: 0.02828

EPSS Percentile: 0.85645

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/FasterXML/jackson-databind

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON