CVE-2021-20190 — Deserialization of untrusted data in jackson-databind

Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

How to fix CVE-2021-20190

To remediate CVE-2021-20190, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 2.12.1-1 or later
—upgrade to 2.9.10.7 or later

Is CVE-2021-20190 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.7.0, <= 1.12.1
from 0, < 2.12.1-1
>= 2.7.0, < 2.9.10.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-20190
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-20190
PATCHgithub.com/FasterXML/jackson-databind
WEBbugzilla.redhat.com/show_bug.cgi?id=1916633