Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-10672

Опубликовано: 15 мар. 2020
Источник: redhat
CVSS3: 8.1
EPSS Средний

Описание

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat CodeReady Studio 12jackson-databindAffected
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss BRMS 6jackson-databindOut of support scope
Red Hat JBoss Data Virtualization 6jackson-databindOut of support scope
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Fuse 6jackson-databindOut of support scope
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Will not fix
Red Hat OpenShift Container Platform 4openshift4/ose-logging-elasticsearch5Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-96
https://bugzilla.redhat.com/show_bug.cgi?id=1815495jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution

EPSS

Процентиль: 97%
0.4007
Средний

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-10672

CVSS3: 8.8
ubuntu
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

nvd логотип

CVE-2020-10672

CVSS3: 8.8
nvd
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

debian логотип

CVE-2020-10672

CVSS3: 8.8
debian
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...

github логотип

GHSA-95cm-88f5-f2c7

CVSS3: 8.8
github
около 5 лет назад

jackson-databind mishandles the interaction between serialization gadgets and typing

fstec логотип

BDU:2021-00768

CVSS3: 8.8
fstec
больше 5 лет назад

Уязвимость компонента org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 97%
0.4007
Средний

8.1 High

CVSS3