CVE-2020-10650

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Se descubrió un fallo de deserialización en jackson-databind hasta 2.9.10.4. Podría permitir que un usuario no autenticado realice la ejecución de código a través de ignite-jta o quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory y org. quartz.utils.JNDIConnectionProvider.

*Credits: N/A

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-17 CVE Reserved
2022-12-26 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-10-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (8)

URL	Tag	Source
https://github.com/advisories/GHSA-rpr3-cw39-3pxh	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
https://security.netapp.com/advisory/ntap-20230818-0007

URL	Date	SRC
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062	2024-08-04

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef	2023-08-18
https://github.com/FasterXML/jackson-databind/issues/2658	2023-08-18
https://www.oracle.com/security-alerts/cpujan2021.html	2023-08-18
https://www.oracle.com/security-alerts/cpuoct2022.html	2023-08-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				<= 2.9.10.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " <= 2.9.10.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				15.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Sales Audit Search vendor "Oracle" for product "Retail Sales Audit"				14.1 Search vendor "Oracle" for product "Retail Sales Audit" and version "14.1"		-		Affected