CVE-2020-25649
jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Se encontró un fallo en FasterXML Jackson Databind, donde no tenía la expansión de entidad asegurada apropiadamente. Este fallo permite una vulnerabilidad a ataques de tipo XML external entity (XXE). La mayor amenaza de esta vulnerabilidad es la integridad de los datos
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-16 CVE Reserved
- 2020-10-22 CVE Published
- 2024-08-04 CVE Updated
- 2024-10-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (72)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/FasterXML/jackson-databind/issues/2589 | 2023-11-07 | |
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.6.0 < 2.6.7.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 < 2.6.7.4" | - |
Affected
| ||||||
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.10.7 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.10.7" | - |
Affected
| ||||||
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.10.0 < 2.10.5.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.10.0 < 2.10.5.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Api Services Search vendor "Netapp" for product "Oncommand Api Services" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Service Level Manager Search vendor "Netapp" for product "Service Level Manager" | - | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | <= 1.6.1 Search vendor "Quarkus" for product "Quarkus" and version " <= 1.6.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Iotdb Search vendor "Apache" for product "Iotdb" | < 0.12.0 Search vendor "Apache" for product "Iotdb" and version " < 0.12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Product Lifecycle Management Integration Pack Search vendor "Oracle" for product "Agile Product Lifecycle Management Integration Pack" | 3.6 Search vendor "Oracle" for product "Agile Product Lifecycle Management Integration Pack" and version "3.6" | e-business_suite |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | >= 18.1 <= 18.3 Search vendor "Oracle" for product "Banking Apis" and version " >= 18.1 <= 18.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 19.1 Search vendor "Oracle" for product "Banking Apis" and version "19.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 19.2 Search vendor "Oracle" for product "Banking Apis" and version "19.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 20.1 Search vendor "Oracle" for product "Banking Apis" and version "20.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 21.1 Search vendor "Oracle" for product "Banking Apis" and version "21.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.8.0 Search vendor "Oracle" for product "Banking Platform" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.10.0 Search vendor "Oracle" for product "Banking Platform" and version "2.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management" | 4.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "4.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform" | < 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Coherence Search vendor "Oracle" for product "Coherence" | 12.2.1.4.0 Search vendor "Oracle" for product "Coherence" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Coherence Search vendor "Oracle" for product "Coherence" | 14.1.1.0.0 Search vendor "Oracle" for product "Coherence" and version "14.1.1.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Commerce Platform Search vendor "Oracle" for product "Commerce Platform" | >= 11.3.0 <= 11.3.2 Search vendor "Oracle" for product "Commerce Platform" and version " >= 11.3.0 <= 11.3.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Commerce Platform Search vendor "Oracle" for product "Commerce Platform" | 11.2.0 Search vendor "Oracle" for product "Commerce Platform" and version "11.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 7.5.0.23.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5.0.23.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 12.0.0.3.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Convergent Charging Controller Search vendor "Oracle" for product "Communications Convergent Charging Controller" | 12.0.4.0.0 Search vendor "Oracle" for product "Communications Convergent Charging Controller" and version "12.0.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.3 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Charging And Control Search vendor "Oracle" for product "Communications Network Charging And Control" | 12.0.4.0.0 Search vendor "Oracle" for product "Communications Network Charging And Control" and version "12.0.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.3 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Goldengate Application Adapters Search vendor "Oracle" for product "Goldengate Application Adapters" | 19.1.0.0.0 Search vendor "Oracle" for product "Goldengate Application Adapters" and version "19.1.0.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Health Sciences Empirica Signal Search vendor "Oracle" for product "Health Sciences Empirica Signal" | 9.0 Search vendor "Oracle" for product "Health Sciences Empirica Signal" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Health Sciences Empirica Signal Search vendor "Oracle" for product "Health Sciences Empirica Signal" | 9.1 Search vendor "Oracle" for product "Health Sciences Empirica Signal" and version "9.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration" | >= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.1.0 <= 11.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration" | 11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | >= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version " >= 11.1.0 <= 11.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 11.0.2 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" | < 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.5.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.5.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 18.8.0 <= 18.8.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.11" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 19.12.0 <= 19.12.10 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.10" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | 20.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "20.12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 14.1.3.2 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 15.0.3.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 16.0.3 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge" | 9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.3.0.5.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server" | 8.0.2 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server" | 8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1" | - |
Affected
| ||||||