Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-8840

Опубликовано: 02 мар. 2020
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A "gadget" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release. Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss Enterprise Application Platform Continuous Deliveryjackson-databindOut of support scope
Red Hat JBoss Fuse 6jackson-databindOut of support scope
Red Hat Mobile Application Platform 4jackson-databindOut of support scope
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Will not fix
Red Hat OpenShift Container Platform 4openshift4/ose-logging-elasticsearch5Will not fix
Red Hat OpenStack Platform 10 (Newton)opendaylightOut of support scope
Red Hat OpenStack Platform 13 (Queens)opendaylightWill not fix
Red Hat Software Collectionsrh-maven35-jackson-databindWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1816330jackson-databind: Lacks certain xbean-reflect/JNDI blocking

EPSS

Процентиль: 92%
0.08164
Низкий

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-8840

CVSS3: 9.8
ubuntu
больше 5 лет назад

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

nvd логотип

CVE-2020-8840

CVSS3: 9.8
nvd
больше 5 лет назад

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

debian логотип

CVE-2020-8840

CVSS3: 9.8
debian
больше 5 лет назад

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...

github логотип

GHSA-4w82-r329-3q67

CVSS3: 9.8
github
больше 5 лет назад

Deserialization of Untrusted Data in jackson-databind

fstec логотип

BDU:2021-01572

CVSS3: 7.5
fstec
больше 5 лет назад

Уязвимость компонента xbean-reflect/JNDI библиотеки Jackson-databind, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

EPSS

Процентиль: 92%
0.08164
Низкий

8.1 High

CVSS3