jackson-databind-2.10.5.1-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10868-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jackson-databind-2.10.5.1-2.2 on GA media These are all security issues fixed in the jackson-databind-2.10.5.1-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10868 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-11307/ SUSE CVE CVE-2018-11307 page https://www.suse.com/security/cve/CVE-2018-12022/ SUSE CVE CVE-2018-12022 page https://www.suse.com/security/cve/CVE-2018-12023/ SUSE CVE CVE-2018-12023 page https://www.suse.com/security/cve/CVE-2018-14718/ SUSE CVE CVE-2018-14718 page https://www.suse.com/security/cve/CVE-2018-14721/ SUSE CVE CVE-2018-14721 page https://www.suse.com/security/cve/CVE-2018-19360/ SUSE CVE CVE-2018-19360 page https://www.suse.com/security/cve/CVE-2018-19361/ SUSE CVE CVE-2018-19361 page https://www.suse.com/security/cve/CVE-2018-7489/ SUSE CVE CVE-2018-7489 page https://www.suse.com/security/cve/CVE-2019-12086/ SUSE CVE CVE-2019-12086 page https://www.suse.com/security/cve/CVE-2019-12384/ SUSE CVE CVE-2019-12384 page https://www.suse.com/security/cve/CVE-2019-12814/ SUSE CVE CVE-2019-12814 page https://www.suse.com/security/cve/CVE-2019-14379/ SUSE CVE CVE-2019-14379 page https://www.suse.com/security/cve/CVE-2019-14439/ SUSE CVE CVE-2019-14439 page https://www.suse.com/security/cve/CVE-2019-14540/ SUSE CVE CVE-2019-14540 page https://www.suse.com/security/cve/CVE-2019-14893/ SUSE CVE CVE-2019-14893 page https://www.suse.com/security/cve/CVE-2019-16942/ SUSE CVE CVE-2019-16942 page https://www.suse.com/security/cve/CVE-2019-17267/ SUSE CVE CVE-2019-17267 page https://www.suse.com/security/cve/CVE-2019-17531/ SUSE CVE CVE-2019-17531 page https://www.suse.com/security/cve/CVE-2019-20330/ SUSE CVE CVE-2019-20330 page https://www.suse.com/security/cve/CVE-2020-25649/ SUSE CVE CVE-2020-25649 page https://www.suse.com/security/cve/CVE-2020-35728/ SUSE CVE CVE-2020-35728 page https://www.suse.com/security/cve/CVE-2021-20190/ SUSE CVE CVE-2021-20190 page openSUSE Tumbleweed jackson-databind-2.10.5.1-2.2 jackson-databind-javadoc-2.10.5.1-2.2 jackson-databind-2.10.5.1-2.2 as a component of openSUSE Tumbleweed jackson-databind-javadoc-2.10.5.1-2.2 as a component of openSUSE Tumbleweed An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. CVE-2018-11307 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11307.html CVE-2018-11307 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. CVE-2018-12022 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12022.html CVE-2018-12022 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. CVE-2018-12023 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12023.html CVE-2018-12023 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVE-2018-14718 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14718.html CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. CVE-2018-14721 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14721.html CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. CVE-2018-19360 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19360.html CVE-2018-19360 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. CVE-2018-19361 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19361.html CVE-2018-19361 FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CVE-2018-7489 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7489.html CVE-2018-7489 https://bugzilla.suse.com/1202327 SUSE Bug 1202327 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. CVE-2019-12086 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12086.html CVE-2019-12086 https://bugzilla.suse.com/1202327 SUSE Bug 1202327 FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. CVE-2019-12384 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12384.html CVE-2019-12384 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. CVE-2019-12814 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12814.html CVE-2019-12814 SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. CVE-2019-14379 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14379.html CVE-2019-14379 https://bugzilla.suse.com/1165035 SUSE Bug 1165035 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. CVE-2019-14439 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14439.html CVE-2019-14439 https://bugzilla.suse.com/1165034 SUSE Bug 1165034 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CVE-2019-14540 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14540.html CVE-2019-14540 https://bugzilla.suse.com/1165038 SUSE Bug 1165038 https://bugzilla.suse.com/1165039 SUSE Bug 1165039 A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVE-2019-14893 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14893.html CVE-2019-14893 https://bugzilla.suse.com/1157186 SUSE Bug 1157186 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CVE-2019-16942 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16942.html CVE-2019-16942 https://bugzilla.suse.com/1165041 SUSE Bug 1165041 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVE-2019-17267 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17267.html CVE-2019-17267 https://bugzilla.suse.com/1165044 SUSE Bug 1165044 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. CVE-2019-17531 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17531.html CVE-2019-17531 FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. CVE-2019-20330 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20330.html CVE-2019-20330 https://bugzilla.suse.com/1160113 SUSE Bug 1160113 A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CVE-2020-25649 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25649.html CVE-2020-25649 https://bugzilla.suse.com/1177616 SUSE Bug 1177616 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). CVE-2020-35728 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35728.html CVE-2020-35728 https://bugzilla.suse.com/1180391 SUSE Bug 1180391 A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-20190 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 important 8.3 AV:N/AC:M/Au:N/C:P/I:P/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-20190.html CVE-2021-20190 https://bugzilla.suse.com/1181118 SUSE Bug 1181118