jackson-databind mishandles the interaction between serialization gadgets and typing
High severity
GitHub Reviewed
Published
May 15, 2020
to the GitHub Advisory Database
•
Updated Jul 3, 2024
Package
Affected versions
>= 2.7.0, < 2.9.10.4
>= 2.0.0, < 2.6.7.4
Patched versions
2.9.10.4
2.6.7.4
Description
Published by the National Vulnerability Database
Mar 18, 2020
Reviewed
Apr 22, 2020
Published to the GitHub Advisory Database
May 15, 2020
Last updated
Jul 3, 2024
FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
References