ID CVE-2020-11111
Summary FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
References
Vulnerable Configurations
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.10.3:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_contacts_server:8.0.0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_contacts_server:8.0.0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:global_lifecycle_management_opatch:12.2.0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:global_lifecycle_management_opatch:12.2.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:global_lifecycle_management_opatch:12.2.0.1.19:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:global_lifecycle_management_opatch:12.2.0.1.19:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 10-12-2021 - 17:10)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
rpms
  • rh-maven35-jackson-databind-0:2.7.6-2.9.el7
  • rh-maven35-jackson-databind-javadoc-0:2.7.6-2.9.el7
refmap via4
confirm https://security.netapp.com/advisory/ntap-20200403-0002/
misc
mlist [debian-lts-announce] 20200417 [SECURITY] [DLA 2179-1] jackson-databind security update
Last major update 10-12-2021 - 17:10
Published 31-03-2020 - 05:15
Last modified 10-12-2021 - 17:10
Back to Top