RHSA-2019:0782-01 -- Redhat rh-maven35-jackson-databindID: oval:org.secpod.oval:def:504959 | Date: (C)2021-01-29 (M)2024-04-11 |
Class: PATCH | Family: unix |
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: * jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis * jackson-databind: improper polymorphic deserialization of types from Jodd-db library * jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver * jackson-databind: arbitrary code execution in slf4j-ext class * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class * jackson-databind: improper polymorphic deserialization in openjpa class * jackson-databind: improper polymorphic deserialization in jboss-common-core class * jackson-databind: exfiltration/XXE in some JDK classes * jackson-databind: server-side request forgery in axis2-jaxws class For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Platform: |
Red Hat Enterprise Linux 7 |
Product: |
rh-maven35-jackson-databind |