CVE-2020-9546

CWE-502Deserialization of Untrusted Data13 documents9 sources
Severity
9.8CRITICAL
EPSS
2.3%
top 15.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
31
Fasterxml Jackson-databindOracle Global Lifecycle Management OpatchOracle JD Edwards Enterpriseone Orchestrator+28 more
Timeline
PublishedMar 2
Latest updateMar 15

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages32 packages

NVDfasterxml/jackson-databind2.7.02.7.9.7+2
Debianjackson-databind< 2.11.1-1+3

Also affects: Debian Linux 8.0

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
jackson-databind mishandles the interaction between serialization gadgets and typing2020-04-23
OSV
jackson-databind mishandles the interaction between serialization gadgets and typing2020-04-23
CVEList
CVE-2020-9546: FasterXML jackson-databind 22020-03-02
OSV
CVE-2020-9546: FasterXML jackson-databind 22020-03-02

📋Vendor Advisories

6
Ubuntu
Jackson Databind vulnerabilities2021-03-15
Oracle
Oracle Oracle Retail Applications Risk Matrix: Foundation (jackson-databind) — CVE-2020-95462021-01-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (jackson-databind) — CVE-2020-95462020-10-15
Oracle
Oracle Oracle Global Lifecycle Management Risk Matrix: Patch Installer (jackson-databind) — CVE-2020-95462020-07-15
Red Hat
jackson-databind: Serialization gadgets in shaded-hikari-config2020-03-02

💬Community

2
Bugzilla
CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config2020-03-23
Bugzilla
CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config [fedora-all]2020-03-23