CVE-2020-35491
jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.commons.dbcp2.datasources.SharedPoolDataSource
A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include code execution and deserialization vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-12-17 CVE Reserved
- 2020-12-17 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-12-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://github.com/FasterXML/jackson-databind/issues/2986 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20210122-0005 | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2022-09-08 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2020-35491 | 2021-05-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1909269 | 2021-05-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.0.0 < 2.9.10.8 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.9.10.8" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Service Level Manager Search vendor "Netapp" for product "Service Level Manager" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.8.0 Search vendor "Oracle" for product "Banking Platform" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.10.0 Search vendor "Oracle" for product "Banking Platform" and version "2.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management" | 14.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform" | <= 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " <= 21.1.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route" | >= 8.0.0.0 <= 8.5.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Route" and version " >= 8.0.0.0 <= 8.5.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route" | - | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.3 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.3 Search vendor "Oracle" for product "Documaker" and version "12.6.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.4 Search vendor "Oracle" for product "Documaker" and version "12.6.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" | >= 16.0 <= 19.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version " >= 16.0 <= 19.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 15.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge" | 9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0" | - |
Affected
| ||||||