FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors Products
Netapp
  • Steelstore Cloud Integrated Storage
  • Active Iq Unified Manager
Oracle
  • Communications Diameter Signaling Router
  • Communications Instant Messaging Server
  • Communications Session Report Manager
  • Communications Evolved Communications Application Server
  • Communications Contacts Server
  • Agile Plm
  • Autovue For Agile Product Lifecycle Management
  • Communications Element Manager
  • Communications Session Route Manager
  • Banking Digital Experience
  • Communications Calendar Server
Debian
  • Debian Linux
Fasterxml
  • Jackson-databind

Configuration 1 [-]

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
References
Link Resource
https://github.com/FasterXML/jackson-databind/issues/2698 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html Mailing List Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20200702-0003/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-14T19:42:39

Updated: 2021-10-20T10:39:09

Reserved: 2020-06-14T00:00:00

Link: CVE-2020-14061

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2020-06-14T20:15:10.027

Modified: 2023-11-07T03:17:05.860

Link: CVE-2020-14061

JSON object: View

cve-icon Redhat Information

No data.

CWE