GHSA-wrr7-33fx-rcvj: Deserialization of Untrusted Data in jackson-databind
N/A
CVSS Score
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
-
Published
6/15/2020
Updated
1/9/2023
KEV Status
No
Technology
Java
JavaTechnical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.fasterxml.jackson.core:jackson-databind | maven | >= 2.7.0, <= 2.7.9.3 | 2.7.9.4 |
| com.fasterxml.jackson.core:jackson-databind | maven | >= 2.8.0, <= 2.8.11.1 | 2.8.11.2 |
| com.fasterxml.jackson.core:jackson-databind | maven | >= 2.9.0, < 2.9.6 | 2.9.6 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The patch modifies the SubTypeValidator class to blacklist 'jodd.db.connection.DataSourceConnectionProvider', indicating that the deserialization process was vulnerable to attacks involving this class. The isValidSubType() method is likely the relevant function, as it is responsible for subtype validation.