CVE-2020-14062
jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.5, maneja incorrectamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (también se conoce como xalan2)
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-14 CVE Reserved
- 2020-06-14 CVE Published
- 2024-08-04 CVE Updated
- 2024-10-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html | Mailing List | |
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | X_refsource_misc | |
https://security.netapp.com/advisory/ntap-20200702-0003 | Third Party Advisory | |
https://www.oracle.com//security-alerts/cpujul2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuApr2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuoct2021.html | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/FasterXML/jackson-databind/issues/2704 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-14062 | 2020-10-27 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1848962 | 2020-10-27 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.10.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.10.5" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | linux |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | windows |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5" | vmware_vsphere |
Affected
| ||||||
Netapp Search vendor "Netapp" | Steelstore Cloud Integrated Storage Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage" | - | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.3 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Calendar Server Search vendor "Oracle" for product "Communications Calendar Server" | 8.0.0.4.0 Search vendor "Oracle" for product "Communications Calendar Server" and version "8.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Contacts Server Search vendor "Oracle" for product "Communications Contacts Server" | 8.0.0.5.0 Search vendor "Oracle" for product "Communications Contacts Server" and version "8.0.0.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
|