CVE-2020-14060

Aliases:GHSA-j823-4qch-3rgm

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2020-14060 DLA-2270-1 MGASA-2021-0153 RHBA-2020:1494 RHBA-2020:3255 UBUNTU-CVE-2020-14060

Analyzed

Published: 14 Jun 2020, 20:46

Last modified:04 Aug 2024, 12:32

Vulnerability Summary

Overall Risk (default)

medium

34/100

CVSS Score

8.1 HIGH

v3.1 (nvd)

EPSS Score

8.93% LOW

9% probability +0.22%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Jun 2020, 20:46

Published

Vulnerability first disclosed

04 Aug 2024, 12:32

Last Modified

Vulnerability information updated

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVSS Metrics

v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 8.93%• Percentile: 93%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

fasterxml•jackson-databind
≥ 2.9.0, < 2.9.10.5 | ≥ 2.0.0, < 2.9.10.5
com.fasterxml.jackson.core•jackson-databind
≥ 2.9.0, < 2.9.10.5
netapp•active_iq_unified_manager
≥ 7.3 | ≥ 9.5
netapp•steelstore_cloud_integrated_storage
na
oracle•agile_plm
9.3.6
oracle•banking_digital_experience
18.1 | 18.2 | 18.3 | 19.1 | 19.2 | 20.1
oracle•communications_calendar_server
8.0.0.4.0
oracle•communications_contacts_server
8.0.0.5.0
oracle•communications_diameter_signaling_router
≥ 8.0.0, ≤ 8.2.2
oracle•communications_element_manager
≥ 8.2.0, ≤ 8.2.2
oracle•communications_evolved_communications_application_server
7.1
oracle•communications_session_report_manager
≥ 8.2.0, ≤ 8.2.2
oracle•communications_session_route_manager
≥ 8.2.0, ≤ 8.2.2