CVE-2020-14195
Deserialization of untrusted data in Jackson Databind
Description
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
Base CVSS
8.1
EPSS Score
9.51%
Introduced Version
2.7.9.2,2.8.11,2.9.4,2.0.0-RC1,2.7.0-rc1,2.8.0.rc1,2.9.0.pr1
Fix Available
2.9.10.5,2.6.7.4
Available Patches
Package
CVEs Fixed
Lines of Code Changed