GHSA-6wqp-v4v6-c87c

Suggest an improvement
Source
https://github.com/advisories/GHSA-6wqp-v4v6-c87c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6wqp-v4v6-c87c
Aliases
Published
2020-06-15T18:44:51Z
Modified
2024-03-11T05:31:21.442429Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Deserialization of Untrusted Data
Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

References

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.9.4

Affected versions

2.*

2.7.0
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3

Database specific

{
    "last_known_affected_version_range": "<= 2.7.9.3"
}

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.11.2

Affected versions

2.*

2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.8.10
2.8.11
2.8.11.1

Database specific

{
    "last_known_affected_version_range": "<= 2.8.11.1"
}

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.9.0
Fixed
2.9.6

Affected versions

2.*

2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5