General data-binding functionality for Jackson: works on core streaming API
Language
JAVA
Vulnerability
Deserialisation Of Untrusted Data
Vulnerability description
jackson-databind can deserialize untrusted data. The vulnerability exists as the SubtypeValidator blacklist did not deny the axis2-transport-jms class from polymorphic deserialization, allowing issues such as remote code execution (RCE) to exist.
Veracode Software Composition Analysis
axis2-transport-jms
class from polymorphic deserialization, allowing issues such as remote code execution (RCE) to exist.Links: