<p>There is no fixed version for <code>Centos:8</code> <code>jackson-databind</code>.</p>

Deserialization of Untrusted Data Affecting jackson-databind package, versions *

Snyk CVSS

Attack Complexity Low

Confidentiality High

Threat Intelligence

EPSS 2.48% (90^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-CENTOS8-JACKSONDATABIND-1943786
published 26 Jul 2021
disclosed 20 Sep 2019

Report a new vulnerability Found a mistake?

Introduced: 20 Sep 2019

CVE-2019-14893 Open this link in a new tab CWE-502 Open this link in a new tab CWE-200 Open this link in a new tab

How to fix?

There is no fixed version for Centos:8 jackson-databind.

NVD Description

Note: Versions mentioned in the description apply only to the upstream jackson-databind package and not the jackson-databind package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.