First published: Fri Jan 15 2021(Updated: )
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Disconnected Log Collector | <=v1.0 - v1.8.2 | |
redhat/jackson-databind | <2.9.10.7 | 2.9.10.7 |
maven/com.fasterxml.jackson.core:jackson-databind | <2.6.7.5 | 2.6.7.5 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.9.10.7 | 2.9.10.7 |
FasterXML jackson-databind | <2.6.7.5 | |
FasterXML jackson-databind | >=2.7.0<2.9.10.7 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Windows | ||
NetApp OnCommand API Services | ||
NetApp OnCommand Insight | ||
NetApp Service Level Manager | ||
Apache NiFi | >=1.7.0<=1.12.1 | |
Debian Debian Linux | =9.0 | |
Oracle Commerce Guided Search And Experience Manager | =11.3.2 |
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid javax.swing in the classpath
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-20190 is a vulnerability in jackson-databind that mishandles the interaction between serialization gadgets and typing, posing a threat to data confidentiality, integrity, and system availability.
CVE-2021-20190 has a severity score of 8.1 (high).
CVE-2021-20190 affects jackson-databind versions before 2.9.10.7 and 2.6.7.5.
To fix CVE-2021-20190, update jackson-databind to version 2.9.10.7 or higher.
You can find more information about CVE-2021-20190 at the following references: [CVE-2021-20190](https://www.cve.org/CVERecord?id=CVE-2021-20190), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-20190), [GitHub Advisory](https://github.com/advisories/GHSA-5949-rw7g-wx7w), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1916633), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:1515)