Skip to content

Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY]#21

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/jackson-databind.version
Open

Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY]#21
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/jackson-databind.version

Conversation

@renovate

@renovate renovate Bot commented Mar 31, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.9.02.18.8 age adoption passing confidence

FasterXML jackson-databind allows unauthenticated remote code execution

CVE-2018-7489 / GHSA-cggj-fvv3-cqwv

More information

Details

FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

CVE-2017-17485 / GHSA-rfx6-vp9g-rh7v

More information

Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Arbitrary Code Execution in jackson-databind

CVE-2018-14718 / GHSA-645p-88qh-w398

More information

Details

FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Server-Side Request Forgery (SSRF) in jackson-databind

CVE-2018-14721 / GHSA-9mxf-g3x6-wv74

More information

Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Severity

  • CVSS Score: 10.0 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

CVE-2018-19362 / GHSA-c8hm-7hpq-7jhg

More information

Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Deserialization of Untrusted Data in jackson-databind

CVE-2018-19361 / GHSA-mx9v-gmh4-mgqw

More information

Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Arbitrary Code Execution in jackson-databind

CVE-2018-14719 / GHSA-4gq5-ch57-c2mg

More information

Details

FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


XML External Entity Reference (XXE) in jackson-databind

CVE-2018-14720 / GHSA-x2w5-5m2g-7h5m

More information

Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization

CVE-2018-19360 / GHSA-f9hv-mg5h-xcw9

More information

Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind Deserialization of Untrusted Data vulnerability

CVE-2018-12022 / GHSA-cjjf-94ff-43w7

More information

Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Note

PR body was truncated to here.

@renovate renovate Bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] Update jackson-databind.version to v2.12.7.1 [SECURITY] Jun 3, 2026
@renovate renovate Bot changed the title Update jackson-databind.version to v2.12.7.1 [SECURITY] Update jackson-databind.version [SECURITY] Jun 24, 2026
@renovate renovate Bot changed the title Update jackson-databind.version [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] Jun 27, 2026
@renovate renovate Bot force-pushed the renovate/jackson-databind.version branch from 8b33c5e to 37a9dac Compare July 3, 2026 00:04
@renovate renovate Bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY] Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants