CVE-2020-14061

CWE-502 — Deserialization of Untrusted Data10 documents8 sources

Severity

8.1HIGH

EPSS

6.2%

top 9.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Oracle Communications Diameter Signaling Router Oracle Communications Element Manager +11 more

Timeline

PublishedJun 14

Latest updateMar 15

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages15 packages

▶NVDoracle/communications_element_manager8.2.0 — 8.2.2

▶NVDoracle/communications_session_route_manager8.2.0 — 8.2.2

▶NVDoracle/communications_session_report_manager8.2.0 — 8.2.2

▶NVDoracle/communications_diameter_signaling_router8.0.0 — 8.2.2

▶NVDoracle/autovue21.0.2

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Deserialization of untrusted data in Jackson Databind↗2020-06-18

▶

OSV

Deserialization of untrusted data in Jackson Databind↗2020-06-18

▶

CVEList

CVE-2020-14061: FasterXML jackson-databind 2↗2020-06-14

▶

OSV

CVE-2020-14061: FasterXML jackson-databind 2↗2020-06-14

▶

📋Vendor Advisories

Ubuntu

Jackson Databind vulnerabilities↗2021-03-15

▶

Red Hat

jackson-databind: serialization in weblogic/oracle-aqjms↗2020-05-19

▶

Debian

CVE-2020-14061: jackson-databind - FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction betwee...↗2020

▶

💬Community

Bugzilla

CVE-2020-14061 jackson-databind: serialization in weblogic/oracle-aqjms [fedora-all]↗2020-06-19

▶

Bugzilla

CVE-2020-14061 jackson-databind: serialization in weblogic/oracle-aqjms↗2020-06-19

▶