CVE-2021-20190

HIGH

Fasterxml Jackson-databind < 2.6.7.5 - Insecure Deserialization

Title source: rule

Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2021-20190-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2021-20190-jackson-databind-vulnerable

View Code ZIP pw:eip

References (6)

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1916633

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2854

[Mailing List] https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210219-0008/

[Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

Scores

CVSS v3 8.1

EPSS 0.0050

EPSS Percentile 66.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (9)

apache/nifi 1.7.0 - 1.12.1

com.fasterxml.jackson.core/jackson-databind 2.7.0 - 2.9.10.7Maven

debian/debian_linux 9.0

fasterxml/jackson-databind < 2.6.7.5

netapp/active_iq_unified_manager (2 CPE variants)

netapp/oncommand_api_services

netapp/oncommand_insight

netapp/service_level_manager

oracle/commerce_guided_search_and_experience_manager 11.3.2

Published Jan 19, 2021

Tracked Since Feb 18, 2026