ID CVE-2020-14060
Summary FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
References
Vulnerable Configurations
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:7.3:*:*:*:*:linux:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:7.3:*:*:*:*:linux:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:linux:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:linux:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:7.3:*:*:*:*:windows:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:7.3:*:*:*:*:windows:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:windows:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:windows:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:windows:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:windows:*:*
  • cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:vmware_vsphere:*:*
    cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:vmware_vsphere:*:*
  • cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 17-11-2021 - 20:20)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
rpms
  • candlepin-0:2.6.16-1.el7sat
  • candlepin-selinux-0:2.6.16-1.el7sat
  • foreman-0:1.22.0.39-2.el7sat
  • foreman-cli-0:1.22.0.39-2.el7sat
  • foreman-debug-0:1.22.0.39-2.el7sat
  • foreman-ec2-0:1.22.0.39-2.el7sat
  • foreman-gce-0:1.22.0.39-2.el7sat
  • foreman-journald-0:1.22.0.39-2.el7sat
  • foreman-libvirt-0:1.22.0.39-2.el7sat
  • foreman-openstack-0:1.22.0.39-2.el7sat
  • foreman-ovirt-0:1.22.0.39-2.el7sat
  • foreman-postgresql-0:1.22.0.39-2.el7sat
  • foreman-rackspace-0:1.22.0.39-2.el7sat
  • foreman-telemetry-0:1.22.0.39-2.el7sat
  • foreman-vmware-0:1.22.0.39-2.el7sat
  • satellite-0:6.6.3-1.el7sat
  • satellite-capsule-0:6.6.3-1.el7sat
  • satellite-cli-0:6.6.3-1.el7sat
  • satellite-common-0:6.6.3-1.el7sat
  • satellite-debug-tools-0:6.6.3-1.el7sat
  • tfm-rubygem-fog-ovirt-0:1.2.3-1.el7sat
  • tfm-rubygem-foreman_rh_cloud-0:0.9.4.1-2.el7sat
  • tfm-rubygem-katello-0:3.12.0.41-1.el7sat
  • tfm-rubygem-runcible-0:2.13.0-1.el7sat
  • candlepin-0:2.9.28-1.el7sat
  • candlepin-selinux-0:2.9.28-1.el7sat
  • foreman-0:1.24.1.24-1.el7sat
  • foreman-cli-0:1.24.1.24-1.el7sat
  • foreman-debug-0:1.24.1.24-1.el7sat
  • foreman-ec2-0:1.24.1.24-1.el7sat
  • foreman-gce-0:1.24.1.24-1.el7sat
  • foreman-installer-1:1.24.1.21-1.el7sat
  • foreman-installer-katello-1:1.24.1.21-1.el7sat
  • foreman-journald-0:1.24.1.24-1.el7sat
  • foreman-libvirt-0:1.24.1.24-1.el7sat
  • foreman-openstack-0:1.24.1.24-1.el7sat
  • foreman-ovirt-0:1.24.1.24-1.el7sat
  • foreman-postgresql-0:1.24.1.24-1.el7sat
  • foreman-rackspace-0:1.24.1.24-1.el7sat
  • foreman-telemetry-0:1.24.1.24-1.el7sat
  • foreman-vmware-0:1.24.1.24-1.el7sat
  • pulp-rpm-admin-extensions-0:2.21.0.6-1.el7sat
  • pulp-rpm-plugins-0:2.21.0.6-1.el7sat
  • python-pulp-integrity-0:2.21.0.6-1.el7sat
  • python-pulp-rpm-common-0:2.21.0.6-1.el7sat
  • satellite-0:6.7.2-1.el7sat
  • satellite-capsule-0:6.7.2-1.el7sat
  • satellite-cli-0:6.7.2-1.el7sat
  • satellite-common-0:6.7.2-1.el7sat
  • satellite-debug-tools-0:6.7.2-1.el7sat
  • tfm-rubygem-fog-vsphere-0:3.2.1.1-1.el7sat
  • tfm-rubygem-foreman-tasks-0:0.17.5.6-1.el7sat
  • tfm-rubygem-foreman_remote_execution-0:2.0.10.1-1.el7sat
  • tfm-rubygem-foreman_remote_execution-cockpit-0:2.0.10.1-1.el7sat
  • tfm-rubygem-foreman_rh_cloud-0:1.0.9-1.el7sat
  • tfm-rubygem-hammer_cli_foreman-0:0.19.6.5-1.el7sat
  • tfm-rubygem-katello-0:3.14.0.25-1.el7sat
refmap via4
confirm https://security.netapp.com/advisory/ntap-20200702-0003/
misc
mlist [debian-lts-announce] 20200701 [SECURITY] [DLA 2270-1] jackson-databind security update
Last major update 17-11-2021 - 20:20
Published 14-06-2020 - 21:15
Last modified 17-11-2021 - 20:20
Back to Top