Incomplete Blacklist Affecting libjackson-json-java package, versions <1.9.13-2~deb10u1


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 49.3% (98th percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN10-LIBJACKSONJSONJAVA-536373
  • published 6 Feb 2018
  • disclosed 6 Feb 2018

How to fix?

Upgrade Debian:10 libjackson-json-java to version 1.9.13-2~deb10u1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjackson-json-java package and not the libjackson-json-java package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.