A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Debian_linux | Debian | 10.0 (including) | 10.0 (including) |
Jackson-databind | Ubuntu | bionic | * |
Jackson-databind | Ubuntu | focal | * |
Jackson-databind | Ubuntu | kinetic | * |
Jackson-databind | Ubuntu | lunar | * |
Jackson-databind | Ubuntu | mantic | * |
Jackson-databind | Ubuntu | oracular | * |
Jackson-databind | Ubuntu | trusty | * |
Jackson-databind | Ubuntu | trusty/esm | * |
Jackson-databind | Ubuntu | xenial | * |