CVE-2020-9546
jackson-databind: Serialization gadgets in shaded-hikari-config
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.4 maneja inapropiadamente la interacción entre la serialización de gadgets y el tipeo, relacionada a org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (también se conoce como shaded hikari-config).
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-03-02 CVE Reserved
- 2020-03-02 CVE Published
- 2024-06-26 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (19)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/FasterXML/jackson-databind/issues/2631 | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujan2021.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2020.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2020-9546 | 2020-10-27 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1816332 | 2020-10-27 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.7.0 < 2.7.9.7 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.7" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.8.0 < 2.8.11.6 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.6" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.10.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.10.4" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | linux |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | windows |
Affected
| ||||||
Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5" | vmware_vsphere |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 18.3 Search vendor "Oracle" for product "Banking Digital Experience" and version "18.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | >= 2.4.0 <= 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version " >= 2.4.0 <= 2.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Calendar Server Search vendor "Oracle" for product "Communications Calendar Server" | 8.0.0.4.0 Search vendor "Oracle" for product "Communications Calendar Server" and version "8.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Contacts Server Search vendor "Oracle" for product "Communications Contacts Server" | 8.0.0.4.0 Search vendor "Oracle" for product "Communications Contacts Server" and version "8.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Contacts Server Search vendor "Oracle" for product "Communications Contacts Server" | 8.0.0.5.0 Search vendor "Oracle" for product "Communications Contacts Server" and version "8.0.0.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.4.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Network Charging And Control Search vendor "Oracle" for product "Communications Network Charging And Control" | >= 12.0.0 <= 12.0.3 Search vendor "Oracle" for product "Communications Network Charging And Control" and version " >= 12.0.0 <= 12.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Network Charging And Control Search vendor "Oracle" for product "Communications Network Charging And Control" | 6.0.1 Search vendor "Oracle" for product "Communications Network Charging And Control" and version "6.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.2.0 <= 8.2.2 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.3.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.3.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | >= 8.0.6 <= 8.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Institutional Performance Analytics Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" | 8.0.6 Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" and version "8.0.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Institutional Performance Analytics Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" | 8.0.7 Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" and version "8.0.7" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Institutional Performance Analytics Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" | 8.1.0 Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" and version "8.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Institutional Performance Analytics Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" | 8.7.0 Search vendor "Oracle" for product "Financial Services Institutional Performance Analytics" and version "8.7.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Price Creation And Discovery Search vendor "Oracle" for product "Financial Services Price Creation And Discovery" | 8.0.6 Search vendor "Oracle" for product "Financial Services Price Creation And Discovery" and version "8.0.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Price Creation And Discovery Search vendor "Oracle" for product "Financial Services Price Creation And Discovery" | 8.0.7 Search vendor "Oracle" for product "Financial Services Price Creation And Discovery" and version "8.0.7" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Retail Customer Analytics Search vendor "Oracle" for product "Financial Services Retail Customer Analytics" | 8.0.6 Search vendor "Oracle" for product "Financial Services Retail Customer Analytics" and version "8.0.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch" | < 12.2.0.1.20 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " < 12.2.0.1.20" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.0.2.25 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.0.2.25" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Insurance Policy Administration J2ee Search vendor "Oracle" for product "Insurance Policy Administration J2ee" | 11.1.0.15 Search vendor "Oracle" for product "Insurance Policy Administration J2ee" and version "11.1.0.15" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" | < 9.2.4.2 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.4.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.4.2 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.4.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 15.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Sales Audit Search vendor "Oracle" for product "Retail Sales Audit" | 14.1 Search vendor "Oracle" for product "Retail Sales Audit" and version "14.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 14.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 15.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone" | 16.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 15.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
|