CVE-2020-36179
jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-06 CVE Reserved
- 2021-01-06 CVE Published
- 2021-01-10 First Exploit
- 2023-11-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (14)
URL | Tag | Source |
---|---|---|
https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E | Mailing List | |
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html | Mailing List | |
https://security.netapp.com/advisory/ntap-20210205-0005 | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuApr2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/Al1ex/CVE-2020-36179 | 2021-01-10 | |
https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | 2024-08-04 |
URL | Date | SRC |
---|---|---|
https://github.com/FasterXML/jackson-databind/issues/3004 | 2024-07-03 | |
https://www.oracle.com//security-alerts/cpujul2021.html | 2024-07-03 | |
https://www.oracle.com/security-alerts/cpuapr2022.html | 2024-07-03 | |
https://www.oracle.com/security-alerts/cpujan2022.html | 2024-07-03 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | 2024-07-03 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-36179 | 2021-05-06 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1913871 | 2021-05-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Netapp Search vendor "Netapp" | Cloud Backup Search vendor "Netapp" for product "Cloud Backup" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Service Level Manager Search vendor "Netapp" for product "Service Level Manager" | - | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite" | 13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.2 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.3 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.2 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.3 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.2 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.3 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management" | 14.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform" | <= 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " <= 21.1.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Commerce Platform Search vendor "Oracle" for product "Commerce Platform" | >= 11.3.0 <= 11.3.2 Search vendor "Oracle" for product "Commerce Platform" and version " >= 11.3.0 <= 11.3.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Commerce Platform Search vendor "Oracle" for product "Commerce Platform" | 11.2.0 Search vendor "Oracle" for product "Commerce Platform" and version "11.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 7.5.0.23.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5.0.23.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 12.0.0.3.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0.0.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Convergent Charging Controller Search vendor "Oracle" for product "Communications Convergent Charging Controller" | 12.0.4.0.0 Search vendor "Oracle" for product "Communications Convergent Charging Controller" and version "12.0.4.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route" | >= 8.0.0.0 <= 8.5.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Route" and version " >= 8.0.0.0 <= 8.5.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | >= 8.2.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Element Manager" and version " >= 8.2.0.0 <= 8.2.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Network Charging And Control Search vendor "Oracle" for product "Communications Network Charging And Control" | 12.0.4.0.0 Search vendor "Oracle" for product "Communications Network Charging And Control" and version "12.0.4.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.3 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management" | 12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.0.0.0 <= 8.2.2.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0.0 <= 8.2.2.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.2.0 <= 8.2.2.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Data Integrator Search vendor "Oracle" for product "Data Integrator" | 12.2.1.4.0 Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Goldengate Application Adapters Search vendor "Oracle" for product "Goldengate Application Adapters" | 19.1.0.0.0 Search vendor "Oracle" for product "Goldengate Application Adapters" and version "19.1.0.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration" | >= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.1.0 <= 11.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration" | 11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | >= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version " >= 11.1.0 <= 11.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette" | 11.0.2 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" | < 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.5.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.5.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 18.8.0 <= 18.8.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 19.12.0 <= 19.12.10 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.10" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | 20.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "20.12.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" | >= 16.0 <= 19.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version " >= 16.0 <= 19.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 15.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 14.1.3.2 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 15.0.3.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 16.0.3.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.0.0 < 2.6.7.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.5" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.7.0 < 2.9.10.8 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.9.10.8" | - |
Affected
|