CVE-2021-20190
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-20190
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-20190.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2.12.1-1 |
| debian | bullseye | fixed | 2.12.1-1 |
| debian | forky | fixed | 2.12.1-1 |
| debian | sid | fixed | 2.12.1-1 |
| debian | trixie | fixed | 2.12.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.fasterxml.jackson.core:jackson-databind | >=2.7.0,<2.9.10.7 | 2.9.10.7 |
| Maven | com.fasterxml.jackson.core:jackson-databind | <2.6.7.5 | 2.6.7.5 |
References
- https://www.suse.com/security/cve/CVE-2021-20190.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20190
- https://github.com/FasterXML/jackson-databind/issues/2854
- https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- https://bugzilla.redhat.com/show_bug.cgi?id=1916633
- https://github.com/FasterXML/jackson-databind
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210219-0008
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security-tracker.debian.org/tracker/CVE-2021-20190
Verify integrity in audit chain (admin only). AS-IS.