CVE-2020-36189 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
https://notcve.org/view.php?id=CVE-2020-36189
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8 maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://github.com/FasterXML/jackson-databind/issues/2996 https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html https://security.netapp.com/advisory/ntap-20210205-0005 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022 • CWE-502: Deserialization of Untrusted Data •
CVE-2020-36181 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
https://notcve.org/view.php?id=CVE-2020-36181
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://github.com/FasterXML/jackson-databind/issues/3004 https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html https://security.netapp.com/advisory/ntap-20210205-0005 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022 • CWE-502: Deserialization of Untrusted Data •
CVE-2020-35728 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
https://notcve.org/view.php?id=CVE-2020-35728
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (también se conoce como Xalan incorporado en org.glassfish.web/javax.servlet.jsp.jstl) A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/Al1ex/CVE-2020-35728 https://github.com/FasterXML/jackson-databind/issues/2999 https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://security.netapp.com/advisory/ntap-20210129-0007 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-502: Deserialization of Untrusted Data •
CVE-2020-25649 – jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
https://notcve.org/view.php?id=CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. Se encontró un fallo en FasterXML Jackson Databind, donde no tenía la expansión de entidad asegurada apropiadamente. Este fallo permite una vulnerabilidad a ataques de tipo XML external entity (XXE). • https://bugzilla.redhat.com/show_bug.cgi?id=1887664 https://github.com/FasterXML/jackson-databind/issues/2589 https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985d • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2020-2555 – Oracle Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-2555
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • https://www.exploit-db.com/exploits/48320 https://www.exploit-db.com/exploits/48508 https://github.com/Y4er/CVE-2020-2555 https://github.com/wsfengfan/CVE-2020-2555 https://github.com/Hu3sky/CVE-2020-2555 https://github.com/Uvemode/CVE-2020-2555 http://packetstormsecurity.com/files/157054/Oracle-Coherence-Fusion-Middleware-Remote-Code-Execution.html http://packetstormsecurity.com/files/157207/Oracle-WebLogic-Server-12.2.1.4.0-Remote-Code-Execution.html http://packetstormsecurity.com/fil • CWE-502: Deserialization of Untrusted Data •