OESA-2022-1782
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1782
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2022-1782.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2022-1782
- Upstream
- Published
- 2022-07-26T11:04:02Z
- Modified
- 2025-08-12T05:04:29.435281Z
- Summary
- jackson-databind security update
- Details
-
The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.
Security Fix(es):
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.(CVE-2019-17531)
- Database specific
{ "severity": "Critical" }- References
Affected packages
openEuler:20.03-LTS-SP1 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:rpm/openEuler/jackson-databind&distro=openEuler-20.03-LTS-SP1