CVE-2020-35728: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to…

high8.1CVSS 3.1

AVNACHPRNUINSUCHIHAH

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Affected

70 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.12.1-1 (bookworm)	jackson-databind 2.12.1-1 (bookworm)
fasterxml	jackson-databind	>= 0 < 2.12.1-1	2.12.1-1
fasterxml	jackson-databind	>= 0 < 2.12.1-1	2.12.1-1
fasterxml	jackson-databind	>= 0 < 2.12.1-1	2.12.1-1
fasterxml	jackson-databind	>= 0 < 2.12.1-1	2.12.1-1
fasterxml	jackson-databind	>= 2.0.0 < 2.6.7.5	2.6.7.5
fasterxml	jackson-databind	>= 2.7.0 < 2.9.10.8	2.9.10.8
oracle	agile_plm	—	—
oracle	application_testing_suite	—	—
oracle	autovue	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_extensibility_workbench	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_treasury_management	—	—
oracle	banking_virtual_account_management	—	—

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv8.1HIGH