CVE-2020-14061
Aliases:GHSA-c2q3-4qrh-fm48
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 14 Jun 2020, 19:42
Last modified:27 Aug 2025, 20:33
Vulnerability Summary
Overall Risk (default)
medium
34/100 CVSS Score
8.1 HIGH
v3.1 (cve.org)
EPSS Score
6.31% LOW
6% probability +0.16%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
14 Jun 2020, 19:42
Published
Vulnerability first disclosed
27 Aug 2025, 20:33
Last Modified
Vulnerability information updated
Description
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 6.31%• Percentile: 91%
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- debian•debian_linux
8.0
- fasterxml•jackson-databind
≥ 2.9.0, < 2.9.10.5
- com.fasterxml.jackson.core•jackson-databind
≥ 2.9.0, < 2.9.10.5
- netapp•active_iq_unified_manager
≥ 7.3 | ≥ 9.5
- netapp•steelstore_cloud_integrated_storage
na
- oracle•agile_plm
9.3.6
- oracle•autovue_for_agile_product_lifecycle_management
21.0.2
- oracle•banking_digital_experience
18.1 | 18.2 | 18.3 | 19.1 | 19.2 | 20.1
- oracle•communications_calendar_server
8.0.0.4.0
- oracle•communications_contacts_server
8.0.0.5.0
- oracle•communications_diameter_signaling_router
≥ 8.0.0, ≤ 8.2.2
- oracle•communications_element_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_evolved_communications_application_server
7.1
- oracle•communications_instant_messaging_server
10.0.1.4.0
- oracle•communications_session_report_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_session_route_manager
≥ 8.2.0, ≤ 8.2.2
References (15)
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/FasterXML/jackson-databind/issues/2698
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.netapp.com/advisory/ntap-20200702-0003/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-14061
- https://github.com/FasterXML/jackson-databind/commit/5c8642aeae9c756b438ab7637c90ef3c77966e6e
- https://github.com/FasterXML/jackson-databind
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20200702-0003
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316