Threat Intelligence Database

A medium severity authorization vulnerability exists in FasterXML jackson-databind versions prior to 2.21.4 and 3.1.4. The flaw allows attacker-controlled JSON to populate constructor parameters annotated with both @JsonView and @JsonUnwrapped, bypassing intended view-based access controls. This occurs because the unwrapped-creator replay path does not enforce visibility checks on creator properties. The issue is fixed in versions 2.21.4 and 3.1.4.

A medium severity authorization vulnerability (CWE-863) exists in FasterXML jackson-databind versions from 2.21.0 up to but not including 2.21.4 and 3.1.4. The issue involves incorrect application of the @JsonView filter during deserialization, allowing attacker-controlled JSON to populate setterless Collection/Map properties annotated with restricted views, bypassing intended view-based access controls. This flaw is fixed in versions 2.21.4 and 3.1.4.

A vulnerability in FasterXML jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4 allows an attacker to bypass @JsonIgnore on a setter by renaming a property with @JsonProperty on the getter. This leads to direct modification of a private backing field during deserialization. The issue is fixed in version 3.1.4.

A vulnerability in FasterXML jackson-databind versions from 2.8.0 until fixed versions allows ignored properties to become writable again due to improper handling of property exclusions combined with case-insensitivity processing. This issue is identified as CWE-915 and affects the BeanDeserializerBase.createContextual() method. The vulnerability has a medium severity with a CVSS score of 5.3 and is fixed in versions 2.18.9, 2.21.5, and 3.1.4.

A Server-Side Request Forgery (SSRF) vulnerability exists in FasterXML jackson-databind due to eager DNS resolution during deserialization of InetSocketAddress fields. Versions from 2.0.0 up to but not including 2.18.8, 2.21.4, and 3.1.4 are affected. The issue arises because the deserializer performs DNS resolution immediately, allowing an attacker to trigger DNS queries before application-level validation. This vulnerability is fixed in versions 2.18.8, 2.21.4, and 3.1.4 by deferring DNS resolution until an explicit connection attempt.

A vulnerability in FasterXML jackson-databind affects versions from 2.10.0 up to but not including 2.18.8, 2.21.4, and 3.1.4. The issue arises because the BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() method allowlists array types based only on whether the class is an array, without validating the component type against the allowlist. This allows deserialization of arrays of disallowed types, bypassing intended security checks. The vulnerability is fixed in versions 2.18.8, 2.21.4, and 3.1.4.

A vulnerability in jackson-databind's polymorphic deserialization allows bypassing the configured PolymorphicTypeValidator (PTV) allow-list when generic type parameters are used. This occurs because only the raw container class name is validated, not the nested generic type arguments. An attacker controlling the type ID can specify a denied class as a generic parameter within an allowed container, leading to unsafe deserialization and potential remote code execution. This issue affects versions from 2.10.0 up to but not including 2.18.8, 2.21.4, and 3.1.4, where it is fixed.

A denial-of-service vulnerability exists in FasterXML jackson-databind versions from 2.13.0 up to but not including 2.14.0. The issue occurs when processing deeply nested JSON structures (thousands of levels) using ObjectMapper.readTree() and then serializing the JsonNode back to a string. This can lead to uncontrolled resource consumption, potentially impacting service availability. The vulnerability is fixed in version 2.14.0.