CVE-2021-20190
Published: 19 January 2021
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jackson-databind Launchpad, Ubuntu, Debian |
groovy |
Ignored
(end of life)
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| xenial |
Needs triage
|
|
| jammy |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| lunar |
Not vulnerable
(2.13.2.2-1)
|
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| hirsute |
Ignored
(end of life)
|
|
| trusty |
Needs triage
|
|
| upstream |
Released
(2.12.1-1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |