jackson-databind Multiple CVE Deserialization Vulnerabilities Fix Advisory

Vulnerability Key Information Package: jackson-databind Version: 2.4.2-2+deb8u14 CVE IDs: CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620 Vulnerability Description CVE-2020-10968: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (i.e., bus-proxy). CVE-2020-10969: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to javax.swing.JEditorPane. CVE-2020-11111: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to activemq. CVE-2020-11112: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to org.apache.commons.proxy.provider.remoting.RmiProvider. CVE-2020-11113: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. CVE-2020-11619: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to org.springframework.aop.config.MethodLocatingFactoryBean. CVE-2020-11620: FasterXML jackson-databind 2.x versions prior to 2.9.10.4 improperly handles interactions between deserialization gadgets and types, related to org.apache.commons.jelly.impl.Embedded. Fix Information Debian 8 "Jessie": These issues have been fixed in version 2.4.2-2+deb8u14.

Goal Reached Thanks to every supporter — we hit 100%!

jackson-databind Multiple CVE Deserialization Vulnerabilities Fix Advisory