FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Debian
  • Debian Linux
Fasterxml
  • Jackson-databind
Netapp
  • Cloud Backup
  • Service Level Manager
Oracle
  • Agile Plm
  • Application Testing Suite
  • Autovue For Agile Product Lifecycle Management
  • Banking Corporate Lending Process Management
  • Banking Credit Facilities Process Management
  • Banking Extensibility Workbench
  • Banking Supply Chain Finance
  • Banking Treasury Management
  • Banking Virtual Account Management
  • Blockchain Platform
  • Commerce Platform
  • Communications Billing And Revenue Management
  • Communications Cloud Native Core Policy
  • Communications Cloud Native Core Unified Data Repository
  • Communications Convergent Charging Controller
  • Communications Diameter Signaling Route
  • Communications Element Manager
  • Communications Evolved Communications Application Server
  • Communications Instant Messaging Server
  • Communications Network Charging And Control
  • Communications Offline Mediation Controller
  • Communications Policy Management
  • Communications Pricing Design Center
  • Communications Services Gatekeeper
  • Communications Session Report Manager
  • Communications Session Route Manager
  • Communications Unified Inventory Management
  • Data Integrator
  • Documaker
  • Goldengate Application Adapters
  • Insurance Policy Administration
  • Insurance Rules Palette
  • Jd Edwards Enterpriseone Orchestrator
  • Jd Edwards Enterpriseone Tools
  • Primavera Gateway
  • Primavera Unifier
  • Retail Customer Management And Segmentation Foundation
  • Retail Merchandising System
  • Retail Service Backbone
  • Retail Xstore Point Of Service
  • Webcenter Portal
Redhat
  • Logging
  • Openshift

Configuration 1 [-]

OR cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_extensibility_workbench:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_extensibility_workbench:14.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_extensibility_workbench:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_treasury_management:4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:commerce_platform:11.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_route:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:12.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:16.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Package CPE Advisory Released Date
OpenShift Logging 5.0
openshift-logging/elasticsearch6-rhel8:v5.0.3-1 cpe:/a:redhat:logging:5.0::el8 RHSA-2021:1515 2021-05-06T00:00:00Z
Red Hat OpenShift Container Platform 4.6
openshift4/ose-logging-elasticsearch6:v4.6.0-202104161407.p0 cpe:/a:redhat:openshift:4.6::el8 RHSA-2021:1230 2021-04-27T00:00:00Z
References
Link Providers
https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 cve-icon cve-icon cve-icon
https://github.com/FasterXML/jackson-databind/issues/2998 cve-icon cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-36184 cve-icon
https://security.netapp.com/advisory/ntap-20210205-0005/ cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-36184 cve-icon
https://www.oracle.com//security-alerts/cpujul2021.html cve-icon cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuApr2021.html cve-icon cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-06T22:30:07

Updated: 2024-08-04T17:23:09.423Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2020-36184

cve-icon Vulnrichment

Updated: 2024-08-04T17:23:09.423Z

cve-icon NVD

Status : Modified

Published: 2021-01-06T23:15:13.017

Modified: 2024-07-03T01:36:32.620

Link: CVE-2020-36184

cve-icon Redhat

Severity : Important

Publid Date: 2020-12-23T00:00:00Z

Links: CVE-2020-36184 - Bugzilla