CVE-2020-9546

Aliases:GHSA-5p34-5m6p-p58g

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2020-9546 DLA-2135-1 MGASA-2021-0153 RHBA-2020:1494 RHBA-2020:3255 RHSA-2020:1644

Analyzed

Published: 02 Mar 2020, 03:59

Last modified:04 Aug 2024, 10:34

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

2.39% LOW

2% probability +0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Mar 2020, 03:59

Published

Vulnerability first disclosed

04 Aug 2024, 10:34

Last Modified

Vulnerability information updated

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 2.39%• Percentile: 85%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

debian•debian_linux
8.0
fasterxml•jackson-databind
≥ 2.7.0, < 2.7.9.7 | ≥ 2.0.0, < 2.7.9.7 | ≥ 2.8.0, < 2.8.11.6 | ≥ 2.9.0, < 2.9.10.4
com.fasterxml.jackson.core•jackson-databind
≥ 2.9.0, < 2.9.10.4
netapp•active_iq_unified_manager
≥ 7.3 | ≥ 9.5
oracle•agile_plm
9.3.6
oracle•autovue_for_agile_product_lifecycle_management
21.0.2
oracle•banking_digital_experience
18.1 | 18.2 | 18.3 | 19.1 | 19.2 | 20.1
oracle•banking_platform
≥ 2.4.0, ≤ 2.9.0
oracle•communications_calendar_server
8.0.0.4.0
oracle•communications_contacts_server
8.0.0.4.0 | 8.0.0.5.0
oracle•communications_diameter_signaling_router
≥ 8.0.0, ≤ 8.2.2
oracle•communications_element_manager
≥ 8.2.0, ≤ 8.2.2
oracle•communications_evolved_communications_application_server
7.1
oracle•communications_instant_messaging_server
10.0.1.4.0
oracle•communications_network_charging_and_control
≥ 12.0.0, ≤ 12.0.3 | 6.0.1
oracle•communications_session_report_manager
≥ 8.2.0, ≤ 8.2.2
oracle•communications_session_route_manager
≥ 8.2.0, ≤ 8.2.2
oracle•enterprise_manager_base_platform
13.3.0.0 | 13.4.0.0
oracle•financial_services_analytical_applications_infrastructure
≥ 8.0.6, ≤ 8.1.0
oracle•financial_services_institutional_performance_analytics
8.0.6 | 8.0.7 | 8.1.0 | 8.7.0
oracle•financial_services_price_creation_and_discovery
8.0.6 | 8.0.7
oracle•financial_services_retail_customer_analytics
8.0.6
oracle•global_lifecycle_management_opatch
< 12.2.0.1.20
oracle•insurance_policy_administration_j2ee
11.0.2.25 | 11.1.0.15
oracle•jd_edwards_enterpriseone_orchestrator
< 9.2.4.2
oracle•jd_edwards_enterpriseone_tools
< 9.2.4.2
oracle•primavera_unifier
≥ 17.7, ≤ 17.12 | 16.1 | 16.2 | 18.8 | 19.12
oracle•retail_merchandising_system
15.0
oracle•retail_sales_audit
14.1
oracle•retail_service_backbone
14.1 | 15.0 | 16.0
oracle•retail_xstore_point_of_service
15.0 | 16.0 | 17.0 | 18.0 | 19.0
Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0