CVE-2020-14195
Aliases:GHSA-mc6h-4qgp-37qh
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 16 Jun 2020, 15:07
Last modified:04 Aug 2024, 12:39
Vulnerability Summary
Overall Risk (default)
medium
34/100 CVSS Score
8.1 HIGH
v3.1 (nvd)
EPSS Score
9.29% LOW
9% probability -0.23%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Jun 2020, 15:07
Published
Vulnerability first disclosed
04 Aug 2024, 12:39
Last Modified
Vulnerability information updated
Description
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 9.29%• Percentile: 93%
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- debian•debian_linux
8.0
- fasterxml•jackson-databind
≥ 2.9.0, < 2.9.10.5
- com.fasterxml.jackson.core•jackson-databind
≥ 2.9.0, < 2.9.10.5
- netapp•active_iq_unified_manager
≥ 7.3 | ≥ 9.5
- netapp•steelstore_cloud_integrated_storage
na
- oracle•agile_plm
9.3.6
- oracle•banking_digital_experience
18.1 | 18.2 | 18.3 | 19.1 | 19.2 | 20.1
- oracle•communications_calendar_server
8.0.0.4.0
- oracle•communications_contacts_server
8.0.0.5.0
- oracle•communications_diameter_signaling_router
≥ 8.0.0, ≤ 8.2.2
- oracle•communications_element_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_evolved_communications_application_server
7.1
- oracle•communications_instant_messaging_server
10.0.1.4.0
- oracle•communications_session_report_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_session_route_manager
≥ 8.2.0, ≤ 8.2.2
References (13)
- https://github.com/FasterXML/jackson-databind/issues/2765
- https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.netapp.com/advisory/ntap-20200702-0003/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-14195
- https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259
- https://github.com/FasterXML/jackson-databind
- https://security.netapp.com/advisory/ntap-20200702-0003