CVE-2020-8840 — Deserialization of Untrusted Data in Jackson-databind

CWE-502 — Deserialization of Untrusted Data10 documents8 sources

Severity

9.8CRITICALNVD

EPSS

8.2%

top 7.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Oracle Global Lifecycle Management Opatch Debian Linux +1 more

Timeline

PublishedFeb 10

Latest updateMar 15

Description

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDfasterxml/jackson-databind2.0.0 — 2.7.9.7+2

▶Debianfasterxml/jackson-databind< 2.11.1-1+3

▶NVDoracle/global_lifecycle_management_opatch12.2.0.1.0 — 12.2.0.1.19+2

▶NVDhuawei/oceanstor_9000_firmware4 versions+3

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in jackson-databind↗2020-03-04

▶

OSV

Deserialization of Untrusted Data in jackson-databind↗2020-03-04

▶

OSV

CVE-2020-8840: FasterXML jackson-databind 2↗2020-02-10

▶

CVEList

CVE-2020-8840: FasterXML jackson-databind 2↗2020-02-10

▶

📋Vendor Advisories

Ubuntu

Jackson Databind vulnerabilities↗2021-03-15

▶

Red Hat

jackson-databind: Lacks certain xbean-reflect/JNDI blocking↗2020-03-02

▶

Debian

CVE-2020-8840: jackson-databind - FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JN...↗2020

▶

💬Community

Bugzilla

CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking↗2020-03-23

▶

Bugzilla

CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking [fedora-all]↗2020-03-23

▶