CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References

Affected packages

Git / github.com/apache/nifi

Affected ranges

Type

GIT

Repo

https://github.com/apache/nifi

Events

Introduced

99bcd1f88dc826f857ae4ab33e842110bfc6ce21

Last affected

accfaa3034fa5c3ef55d6402ac31e500247100f9

Database specific

{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "last_affected": "1.12.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/fasterxml/jackson-databind

Events

Introduced

Fixed

e19c557b789113f900018208d87446c34ae4fab3

Introduced

50791cc7856376949287e0be3e96147665ab8f68

Fixed

d0e9952ea70d1af5c512322a32456f237afb9e9b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.7.5"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.9.10.7"
        }
    ]
}

Affected versions

jackson-databind-2.*

jackson-databind-2.6.5

jackson-databind-2.6.6

jackson-databind-2.6.7

jackson-databind-2.6.7.1

jackson-databind-2.7.0

jackson-databind-2.7.1

jackson-databind-2.7.1-1

jackson-databind-2.7.2

jackson-databind-2.7.3

jackson-databind-2.7.4

jackson-databind-2.7.5

jackson-databind-2.7.6

jackson-databind-2.7.7

jackson-databind-2.7.8

jackson-databind-2.7.9

jackson-databind-2.7.9.1

jackson-databind-2.7.9.2

jackson-databind-2.7.9.3

jackson-databind-2.7.9.4

jackson-databind-2.7.9.5

jackson-databind-2.7.9.6

jackson-databind-2.7.9.7

jackson-databind-2.8.0

jackson-databind-2.8.1

jackson-databind-2.8.10

jackson-databind-2.8.11

jackson-databind-2.8.11.1

jackson-databind-2.8.11.2

jackson-databind-2.8.11.3

jackson-databind-2.8.11.4

jackson-databind-2.8.11.5

jackson-databind-2.8.11.6

jackson-databind-2.8.2

jackson-databind-2.8.3

jackson-databind-2.8.4

jackson-databind-2.8.5

jackson-databind-2.8.6

jackson-databind-2.8.7

jackson-databind-2.8.8

jackson-databind-2.8.8.1

jackson-databind-2.8.9

jackson-databind-2.9.0

jackson-databind-2.9.0.pr1

jackson-databind-2.9.0.pr2

jackson-databind-2.9.0.pr3

jackson-databind-2.9.0.pr4

jackson-databind-2.9.1

jackson-databind-2.9.10

jackson-databind-2.9.10.1

jackson-databind-2.9.10.2

jackson-databind-2.9.10.3

jackson-databind-2.9.10.4

jackson-databind-2.9.10.5

jackson-databind-2.9.10.6

jackson-databind-2.9.2

jackson-databind-2.9.3

jackson-databind-2.9.4

jackson-databind-2.9.5

jackson-databind-2.9.6

jackson-databind-2.9.7

jackson-databind-2.9.8

jackson-databind-2.9.9

jackson-databind-2.9.9.1

jackson-databind-2.9.9.2

jackson-databind-2.9.9.3

nifi-1.*

nifi-1.10.0-RC3

nifi-1.11.0-RC3

nifi-1.12.0-RC1

nifi-1.12.1-RC2

nifi-1.7.0-RC1

nifi-1.8.0-RC3

nifi-1.9.0-RC2

rel/nifi-1.*

rel/nifi-1.10.0

rel/nifi-1.11.0

rel/nifi-1.12.0

rel/nifi-1.12.1

rel/nifi-1.7.0

rel/nifi-1.8.0

rel/nifi-1.9.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.3.2"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-20190.json"