CVE-2020-24750

CWE-502 — Deserialization of Untrusted Data19 documents9 sources

Severity

8.1HIGH

EPSS

2.0%

top 16.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Oracle Blockchain Platform Oracle Communications Diameter Signaling Router +23 more

Timeline

PublishedSep 17

Latest updateApr 15

Description

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages27 packages

▶NVDfasterxml/jackson-databind2.0.0 — 2.6.7.5+1

▶Mavencom.fasterxml.jackson.core:jackson-databind2.0 — 2.6.7.5+1

▶Debianjackson-databind< 2.12.1-1+3

▶NVDoracle/blockchain_platform< 21.1.2

▶NVDoracle/siebel_core_-21.5

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Unsafe Deserialization in jackson-databind↗2021-12-09

▶

OSV

Unsafe Deserialization in jackson-databind↗2021-12-09

▶

CVEList

CVE-2020-24750: FasterXML jackson-databind 2↗2020-09-17

▶

OSV

CVE-2020-24750: FasterXML jackson-databind 2↗2020-09-17

▶

💥Exploits & PoCs

Exploit-DB

BSA Radar 1.6.7234.24750 - Local File Inclusion↗2020-07-14

▶

Exploit-DB

BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)↗2020-07-08

▶

Exploit-DB

BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation↗2020-07-07

▶

Exploit-DB

BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting↗2020-06-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (jackson-databind) — CVE-2020-24750↗2022-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: PresenceApi (jackson-databind) — CVE-2020-24750↗2022-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Security (jackson-databind) — CVE-2020-24750↗2021-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Onboarding (jackson-databind) — CVE-2020-24750↗2021-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Event Reminders (jackson-databind) — CVE-2020-24750↗2021-04-15

▶

💬Community

Bugzilla

CVE-2020-24750 jackson-databind: mishandles the interaction between serialization gadgets and typing [fedora-all]↗2020-09-24

▶

Bugzilla

CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration↗2020-09-24

▶