Your submission was sent successfully! Close


Published: 2 January 2019

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

From the Ubuntu security team

It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute server-side request forgery (SSRF).



CVSS 3 base score: 10.0


Package Release Status
Launchpad, Ubuntu, Debian
bionic Not vulnerable
cosmic Ignored
(reached end-of-life)
disco Not vulnerable
eoan Not vulnerable
focal Not vulnerable
groovy Not vulnerable
hirsute Not vulnerable
impish Not vulnerable
jammy Not vulnerable
precise Does not exist

trusty Does not exist
(trusty was needed)
Released (2.9.7)
xenial Ignored
(end of standard support, was needed)