CVE-2020-35491
jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.commons.dbcp2.datasources.SharedPoolDataSource
A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-12-17 CVE Reserved
- 2020-12-17 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-11-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://github.com/FasterXML/jackson-databind/issues/2986 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20210122-0005 | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2022-09-08 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2022-09-08 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2020-35491 | 2021-05-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1909269 | 2021-05-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.0.0 < 2.9.10.8 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.9.10.8" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Service Level Manager Search vendor "Netapp" for product "Service Level Manager" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.8.0 Search vendor "Oracle" for product "Banking Platform" and version "2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.10.0 Search vendor "Oracle" for product "Banking Platform" and version "2.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management" | 14.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform" | <= 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " <= 21.1.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route" | >= 8.0.0.0 <= 8.5.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Route" and version " >= 8.0.0.0 <= 8.5.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route" | - | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.3 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.3 Search vendor "Oracle" for product "Documaker" and version "12.6.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.4 Search vendor "Oracle" for product "Documaker" and version "12.6.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" | >= 16.0 <= 19.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version " >= 16.0 <= 19.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 15.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge" | 9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0" | - |
Affected
| ||||||