View all vulnerabilities

CVE-2020-24750

Unsafe Deserialization in jackson-databind

FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
8.1
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
com.fasterxml.jackson.core:jackson-databind >= 2.0 < 2.6.7.5; com.fasterxml.jackson.core:jackson-databind >= 2.7.0 < 2.9.10.6
Severity
High
Ecosystem
Publish Date
December 9, 2021
Modified Date
February 18, 2024