CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:oracle:commerce_guided_search_and_experience_manager:11.3.2:*:*:*:*:*:*:*

History

07 Nov 2023, 03:28

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E', 'name': '[nifi-commits] 20210222 svn commit: r1886814 - /nifi/site/trunk/security.html', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E -

03 Jun 2022, 13:07

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory
First Time Oracle commerce Guided Search And Experience Manager
Oracle
CPE cpe:2.3:a:oracle:commerce_guided_search_and_experience_manager:11.3.2:*:*:*:*:*:*:*

05 May 2021, 12:49

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
References (MLIST) https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E - Mailing List, Vendor Advisory (MLIST) https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html - Mailing List, Third Party Advisory

24 Apr 2021, 23:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html -

04 Mar 2021, 20:16

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1916633 - Issue Tracking, Third Party Advisory (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1916633 - Issue Tracking, Patch, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210219-0008/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210219-0008/ - Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E - Mailing List, Vendor Advisory

22 Feb 2021, 23:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E -

19 Feb 2021, 13:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210219-0008/ -

22 Jan 2021, 19:28

Type Values Removed Values Added
CPE cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1916633 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1916633 - Issue Tracking, Third Party Advisory
References (MISC) https://github.com/FasterXML/jackson-databind/issues/2854 - (MISC) https://github.com/FasterXML/jackson-databind/issues/2854 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 8.3
v3 : 8.1

19 Jan 2021, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-01-19 17:15

Updated : 2023-12-10 13:41


NVD link : CVE-2021-20190

Mitre link : CVE-2021-20190

CVE.ORG link : CVE-2021-20190


JSON object : View

Products Affected

oracle

  • commerce_guided_search_and_experience_manager

debian

  • debian_linux

netapp

  • oncommand_insight
  • service_level_manager
  • oncommand_api_services
  • active_iq_unified_manager

fasterxml

  • jackson-databind

apache

  • nifi
CWE
CWE-502

Deserialization of Untrusted Data