Seal Security

CVE-2020-9547

jackson-databind mishandles the interaction between serialization gadgets and typing

FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

9.8

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Versions

com.fasterxml.jackson.core:jackson-databind >= 2.9.0 < 2.9.10.4; com.fasterxml.jackson.core:jackson-databind >= 2.8.0 < 2.8.11.6; com.fasterxml.jackson.core:jackson-databind >= 2.0.0 < 2.7.9.7

Severity

Ecosystem

Publish Date

May 15, 2020

Modified Date

March 16, 2024