Seal Security

CVE-2020-8840

Deserialization of Untrusted Data in jackson-databind

FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

9.8

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Versions

com.fasterxml.jackson.core:jackson-databind >= 2.0.0 < 2.6.7.4; com.fasterxml.jackson.core:jackson-databind >= 2.7.0 < 2.7.9.7; com.fasterxml.jackson.core:jackson-databind >= 2.8.0 < 2.8.11.5; com.fasterxml.jackson.core:jackson-databind >= 2.9.0 < 2.9.10.3

Severity

Ecosystem

Publish Date

March 4, 2020

Modified Date

March 16, 2024