CVE-2021-20190

CVE Database · CVE-2021-20190

CVE-2021-20190

· HIGHModified

CVSS v3.1

8.1

EPSS

7.48%

Published

Jan 19, 2021

Modified

Aug 27, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502CWE-502

Affected Products (10)

fasterxml · jackson-databind (up to 2.6.7.5)vulnerable

fasterxml · jackson-databind (up to 2.9.10.7)vulnerable

netapp · active_iq_unified_managervulnerable

netapp · oncommand_api_servicesvulnerable

netapp · oncommand_insightvulnerable

netapp · service_level_managervulnerable

apache · nifivulnerable

debian · debian_linuxvulnerable

oracle · commerce_guided_search_and_experience_manager

References (12)

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

Issue TrackingPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2854

PatchThird Party Advisory

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20210219-0008/

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

KEV Catalog EPSS Scores Vendors All CVEs