Deserialization of untrusted data in Jackson Databind
High severity
GitHub Reviewed
Published
Jun 18, 2020
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
>= 2.9.0, <= 2.9.10.4
Patched versions
2.9.10.5
Description
Published by the National Vulnerability Database
Jun 14, 2020
Reviewed
Jun 18, 2020
Published to the GitHub Advisory Database
Jun 18, 2020
Last updated
Feb 1, 2023
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
References