FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fasterxml
  • Jackson-databind
Netapp
  • Active Iq Unified Manager
  • Steelstore Cloud Integrated Storage
Oracle
  • Agile Plm
  • Banking Digital Experience
  • Communications Calendar Server
  • Communications Contacts Server
  • Communications Diameter Signaling Router
  • Communications Element Manager
  • Communications Evolved Communications Application Server
  • Communications Session Report Manager
  • Communications Session Route Manager
Redhat
  • Jboss Enterprise Bpms Platform
  • Jboss Enterprise Brms Platform
  • Jboss Fuse
  • Satellite
  • Satellite Capsule

Configuration 1 [-]

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Decision Manager 7
jackson-databind cpe:/a:redhat:jboss_enterprise_brms_platform:7.8 RHSA-2020:3196 2020-07-29T00:00:00Z
Red Hat Fuse 7.7.0
jackson-databind cpe:/a:redhat:jboss_fuse:7 RHSA-2020:3192 2020-07-28T00:00:00Z
Red Hat Process Automation 7
jackson-databind cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8 RHSA-2020:3197 2020-07-29T00:00:00Z
Red Hat Satellite 6.6 for RHEL 7
candlepin-0:2.6.16-1.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
foreman-0:1.22.0.39-2.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
satellite-0:6.6.3-1.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-fog-ovirt-0:1.2.3-1.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-foreman_rh_cloud-0:0.9.4.1-2.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-katello-0:3.12.0.41-1.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-runcible-0:2.13.0-1.el7sat cpe:/a:redhat:satellite:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
candlepin-0:2.6.16-1.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
foreman-0:1.22.0.39-2.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
satellite-0:6.6.3-1.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-fog-ovirt-0:1.2.3-1.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-foreman_rh_cloud-0:0.9.4.1-2.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-katello-0:3.12.0.41-1.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
tfm-rubygem-runcible-0:2.13.0-1.el7sat cpe:/a:redhat:satellite_capsule:6.6::el7 RHBA-2020:1494 2020-04-16T00:00:00Z
Red Hat Satellite 6.7 for RHEL 7
candlepin-0:2.9.28-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
foreman-0:1.24.1.24-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
foreman-installer-1:1.24.1.21-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
pulp-rpm-0:2.21.0.6-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
satellite-0:6.7.2-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-fog-vsphere-0:3.2.1.1-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman_remote_execution-0:2.0.10.1-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman_rh_cloud-0:1.0.9-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman-tasks-0:0.17.5.6-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-hammer_cli_foreman-0:0.19.6.5-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-katello-0:3.14.0.25-1.el7sat cpe:/a:redhat:satellite:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
candlepin-0:2.9.28-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
foreman-0:1.24.1.24-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
foreman-installer-1:1.24.1.21-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
pulp-rpm-0:2.21.0.6-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
satellite-0:6.7.2-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-fog-vsphere-0:3.2.1.1-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman_remote_execution-0:2.0.10.1-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman_rh_cloud-0:1.0.9-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-foreman-tasks-0:0.17.5.6-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-hammer_cli_foreman-0:0.19.6.5-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
tfm-rubygem-katello-0:3.14.0.25-1.el7sat cpe:/a:redhat:satellite_capsule:6.7::el7 RHBA-2020:3255 2020-07-30T00:00:00Z
References
Link Providers
https://github.com/FasterXML/jackson-databind/issues/2688 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html cve-icon cve-icon
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-14060 cve-icon
https://security.netapp.com/advisory/ntap-20200702-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-14060 cve-icon
https://www.oracle.com//security-alerts/cpujul2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuApr2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-14T20:46:47

Updated: 2024-08-04T12:32:14.684Z

Reserved: 2020-06-14T00:00:00

Link: CVE-2020-14060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-06-14T21:15:09.817

Modified: 2023-11-07T03:17:05.777

Link: CVE-2020-14060

cve-icon Redhat

Severity : Important

Publid Date: 2020-05-19T00:00:00Z

Links: CVE-2020-14060 - Bugzilla