CVE-2020-10672
jackson-databind mishandles the interaction between serialization gadgets and typing
Description
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Base CVSS
8.8
EPSS Score
35.29%
Introduced Version
2.7.9.2,2.8.11,2.9.4,2.0.0-RC1,2.7.0-rc1,2.8.0.rc1,2.9.0.pr1
Fix Available
2.9.10.4,2.6.7.4
Available Patches
Package
CVEs Fixed
Lines of Code Changed