CVE-2020-10650 - OpenCVE

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fasterxml	Jackson-databind
Oracle	Retail Merchandising System Retail Sales Audit

Configuration 1 [-]

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:retail_merchandising_system:15.0:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:14.1:::::::*

No data.

References

Link	Providers
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
https://github.com/FasterXML/jackson-databind/issues/2658
https://github.com/advisories/GHSA-rpr3-cw39-3pxh
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20230818-0007/
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-12-26T00:00:00

Updated: 2024-08-04T11:06:10.616Z

Reserved: 2020-03-17T00:00:00

Link: CVE-2020-10650

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-26T20:15:10.433

Modified: 2023-08-18T14:15:18.573

Link: CVE-2020-10650

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-10650", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T11:06:10.616Z", "dateReserved": "2020-03-17T00:00:00", "datePublished": "2022-12-26T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-26T00:00:00"}, "descriptions": [{"lang": "en", "value": "A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:10.616Z"}, "title": "CVE Program Container", "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "238F4D80-C84C-4C96-B45D-D73ADE46A3C8", "versionEndIncluding": "2.9.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "792DF04A-2D1B-40B5-B960-3E7152732EB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*", "matchCriteriaId": "7DA6E92C-AC3B-40CF-96AE-22CD8769886F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider."}, {"lang": "es", "value": "Se descubri\u00f3 un fallo de deserializaci\u00f3n en jackson-databind hasta 2.9.10.4. Podr\u00eda permitir que un usuario no autenticado realice la ejecuci\u00f3n de c\u00f3digo a trav\u00e9s de ignite-jta o quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory y org. quartz.utils.JNDIConnectionProvider."}], "id": "CVE-2020-10650", "lastModified": "2023-08-18T14:15:18.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-26T20:15:10.433", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}