CVE-2020-25649

CWE-611 — XML External Entity (XXE)18 documents9 sources

Severity

7.5HIGH

EPSS

0.0%

top 95.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Iotdb Fasterxml Jackson-databind Oracle Blockchain Platform +33 more

Timeline

PublishedDec 3

Latest updateApr 15

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages38 packages

▶NVDfasterxml/jackson-databind2.6.0 — 2.6.7.4+2

▶Mavencom.fasterxml.jackson.core:jackson-databind2.6.0 — 2.6.7.4+2

▶Debianjackson-databind< 2.11.1-1+3

▶CVEListV5jackson-databindjackson-databind-2.11.0

▶NVDoracle/communications_cloud_native_core_unified_data_repository1.4.0

Also affects: Fedora 32

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

XML External Entity (XXE) Injection in Jackson Databind↗2021-02-18

▶

GHSA

XML External Entity (XXE) Injection in Jackson Databind↗2021-02-18

▶

OSV

CVE-2020-25649: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly↗2020-12-03

▶

CVEList

CVE-2020-25649: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly↗2020-12-03

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Runtime Server (jackson-databind) — CVE-2020-25649↗2025-04-15

▶

Atlassian

CVE-2020-25649: XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server↗2024-01-16

▶

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Logger (jackson-databind) — CVE-2020-25649↗2023-04-15

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Security (jackson-databind) — CVE-2020-25649↗2022-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (jackson-databind) — CVE-2020-25649↗2022-04-15

▶

💬Community

Bugzilla

CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)↗2020-10-13

▶

Bugzilla

CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) [fedora-all]↗2020-10-13

▶