Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-10673

Опубликовано: 18 мар. 2020
Источник: redhat
CVSS3: 8.1
EPSS Средний

Описание

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Additionally, the gadget is not available within Red Hat Openstack Platform's OpenDaylight. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat CodeReady Studio 12jackson-databindAffected
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss BRMS 6jackson-databindOut of support scope
Red Hat JBoss Data Virtualization 6jackson-databindOut of support scope
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Fuse 6jackson-databindOut of support scope
Red Hat OpenShift Application Runtimesjackson-databindNot affected
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Will not fix
Red Hat OpenShift Container Platform 4openshift4/ose-logging-elasticsearch5Will not fix

Показывать по

Дополнительная информация

Статус:

Important
Дефект:
CWE-96
https://bugzilla.redhat.com/show_bug.cgi?id=1815470jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution

EPSS

Процентиль: 95%
0.20473
Средний

8.1 High

CVSS3

Связанные уязвимости

CVSS3: 8.8
ubuntu
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVSS3: 8.8
nvd
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVSS3: 8.8
debian
больше 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...

CVSS3: 8.8
github
около 5 лет назад

jackson-databind mishandles the interaction between serialization gadgets and typing

CVSS3: 8.8
fstec
больше 5 лет назад

Уязвимость компонента org.aoju.bus.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 95%
0.20473
Средний

8.1 High

CVSS3