View all vulnerabilities

CVE-2020-10673

jackson-databind mishandles the interaction between serialization gadgets and typing

FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
8.7
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Versions
com.fasterxml.jackson.core:jackson-databind >= 2.7.0 < 2.9.10.4; com.fasterxml.jackson.core:jackson-databind >= 2.0.0 < 2.6.7.4
Severity
High
Ecosystem
Publish Date
May 15, 2020
Modified Date
July 3, 2024