View all vulnerabilities

CVE-2020-14060

Deserialization of untrusted data in Jackson Databind

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
8.1
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
com.fasterxml.jackson.core:jackson-databind >= 2.9.0 < 2.9.10.5
Severity
High
Ecosystem
Publish Date
June 18, 2020
Modified Date
March 14, 2024