CVE-2020-10969

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

References

Affected packages

Debian:11 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type: GIT
Repo: https://github.com/fasterxml/jackson-databind
Events: Introduced

50791cc7856376949287e0be3e96147665ab8f68

Fixed

e8697cdbf415028b171f9b7698f3308eda00a3c7

Affected versions

jackson-databind-2.*

jackson-databind-2.6.5

jackson-databind-2.6.6

jackson-databind-2.6.7

jackson-databind-2.6.7.1

jackson-databind-2.7.0

jackson-databind-2.7.1

jackson-databind-2.7.1-1

jackson-databind-2.7.2

jackson-databind-2.7.3

jackson-databind-2.7.4

jackson-databind-2.7.5

jackson-databind-2.7.6

jackson-databind-2.7.7

jackson-databind-2.7.8

jackson-databind-2.7.9

jackson-databind-2.7.9.1

jackson-databind-2.7.9.2

jackson-databind-2.7.9.3

jackson-databind-2.7.9.4

jackson-databind-2.7.9.5

jackson-databind-2.7.9.6