CVE-2021-20190
HIGH8.1EPSS 0.50%Deserialization of untrusted data in jackson-databind
發布日:2021/1/20修改日:2025/9/15
描述
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
受影響套件(3)
- Bitnami/nifi>= 1.7.0, <= 1.12.1
- Debian/jackson-databindfrom 0, < 2.12.1-1
- Maven/com.fasterxml.jackson.core:jackson-databind>= 2.7.0, < 2.9.10.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-20190
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-20190
- PATCHhttps://github.com/FasterXML/jackson-databind
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1916633
- WEBhttps://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- WEBhttps://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- WEBhttps://github.com/FasterXML/jackson-databind/issues/2854
- WEBhttps://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E
- WEBhttps://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0008
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0008/
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html