GHSA-9mxf-g3x6-wv74

Suggest an improvement
Source
https://github.com/advisories/GHSA-9mxf-g3x6-wv74
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9mxf-g3x6-wv74
Aliases
Published
2019-01-04T19:07:06Z
Modified
2024-03-14T05:31:44.064870Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Server-Side Request Forgery (SSRF) in jackson-databind
Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

References

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.9.0
Fixed
2.9.7

Affected versions

2.*

2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.11.3

Affected versions

2.*

2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.8.10
2.8.11
2.8.11.1
2.8.11.2

Database specific

{
    "last_known_affected_version_range": "<= 2.8.11.2"
}

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.9.5

Affected versions

2.*

2.7.0
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3
2.7.9.4

Database specific

{
    "last_known_affected_version_range": "<= 2.7.9.4"
}