CVE-2020-14060
jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.5, maneja incorrectamente la interacción entre los gadgets de serialización y la escritura, relacionada con oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (también se conoce como apache/drill)
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-06-14 CVE Reserved
- 2020-06-14 CVE Published
- 2024-08-04 CVE Updated
- 2024-10-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html | Mailing List | |
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | X_refsource_misc | |
https://security.netapp.com/advisory/ntap-20200702-0003 | Third Party Advisory | |
https://www.oracle.com//security-alerts/cpujul2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuApr2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuoct2021.html | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/FasterXML/jackson-databind/issues/2688 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-14060 | 2020-07-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1848960 | 2020-07-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.10.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.10.5" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | linux |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | windows |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5" | vmware_vsphere |
Affected
| ||||||
Netapp Search vendor "Netapp" | Steelstore Cloud Integrated Storage Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage" | - | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.3 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Calendar Server Search vendor "Oracle" for product "Communications Calendar Server" | 8.0.0.4.0 Search vendor "Oracle" for product "Communications Calendar Server" and version "8.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Contacts Server Search vendor "Oracle" for product "Communications Contacts Server" | 8.0.0.5.0 Search vendor "Oracle" for product "Communications Contacts Server" and version "8.0.0.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
|