CVE-2020-14062: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to…

high8.1CVSS 3.1

AVNACHPRNUINSUCHIHAH

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Affected

24 ranges

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.11.1-1 (bookworm)	jackson-databind 2.11.1-1 (bookworm)
fasterxml	jackson-databind	>= 0 < 2.11.1-1	2.11.1-1
fasterxml	jackson-databind	>= 0 < 2.11.1-1	2.11.1-1
fasterxml	jackson-databind	>= 0 < 2.11.1-1	2.11.1-1
fasterxml	jackson-databind	>= 0 < 2.11.1-1	2.11.1-1
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	>= 2.0.0 < 2.9.10.5	2.9.10.5
netapp	active_iq_unified_manager	>= 7.3	—
netapp	active_iq_unified_manager	>= 9.5	—
oracle	agile_plm	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	communications_calendar_server	—	—
oracle	communications_contacts_server	—	—
oracle	communications_diameter_signaling_router	8.0.0 – 8.2.2	—
oracle	communications_element_manager	8.2.0 – 8.2.2	—
oracle	communications_evolved_communications_application_server	—	—
oracle	communications_session_report_manager	8.2.0 – 8.2.2	—
oracle	communications_session_route_manager	8.2.0 – 8.2.2	—

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL