Published: 31 March 2020
FasterXML jackson-databind 2.x before 126.96.36.199 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
From the Ubuntu security team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code or other unspecified impact.
CVSS 3 base score: 8.8
Launchpad, Ubuntu, Debian
|Ubuntu 21.10 (Impish Indri)||
|Ubuntu 21.04 (Hirsute Hippo)||
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 ESM (Xenial Xerus)||
(end of standard support, was needs-triage)
|Ubuntu 14.04 ESM (Trusty Tahr)||
Does not exist