Deserialization of Untrusted Data
Affecting com.fasterxml.jackson.core:jackson-databind artifact, versions [2.0.0, 220.127.116.11)Report new vulnerabilities
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
com.fasterxml.jackson.core:jackson-databind to version 18.104.22.168 or higher.