A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.fasterxml.jackson.core:jackson-databind(Maven) | 0 | 2.6.7.3 | N/A |
| com.fasterxml.jackson.core:jackson-databind(Maven) | 2.7.0 | 2.8.11.5 | N/A |
| com.fasterxml.jackson.core:jackson-databind(Maven) | 2.9.0 | 2.9.10 | N/A |
CVSS Metrics
