First published: Wed Mar 25 2020(Updated: )
FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/Jackson-databind | <2.9.10.4 | 2.9.10.4 |
redhat/rh-maven35-jackson-databind | <0:2.7.6-2.9.el7 | 0:2.7.6-2.9.el7 |
IBM Data Risk Manager | <=2.0.6 | |
FasterXML jackson-databind | >=2.9.0<2.9.10.4 | |
Debian Debian Linux | =8.0 | |
Netapp Steelstore Cloud Integrated Storage | ||
Oracle Agile PLM | =9.3.6 | |
Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
Oracle Banking Digital Experience | =18.1 | |
Oracle Banking Digital Experience | =18.2 | |
Oracle Banking Digital Experience | =18.3 | |
Oracle Banking Digital Experience | =19.1 | |
Oracle Banking Digital Experience | =19.2 | |
Oracle Banking Digital Experience | =20.1 | |
Oracle Banking Platform | >=2.4.0<=2.9.0 | |
Oracle Communications Calendar Server | =8.0.0.4.0 | |
Oracle Communications Contacts Server | =8.0.0.4.0 | |
Oracle Communications Contacts Server | =8.0.0.5.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
Oracle Communications Element Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Evolved Communications Application Server | =7.1 | |
Oracle Communications Instant Messaging Server | =10.0.1.4.0 | |
Oracle Communications Network Charging And Control | >=12.0.0<=12.0.3 | |
Oracle Communications Network Charging And Control | =6.0.1 | |
Oracle Communications Session Report Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.1.0 | |
Oracle Financial Services Institutional Performance Analytics | =8.0.6 | |
Oracle Financial Services Institutional Performance Analytics | =8.0.7 | |
Oracle Financial Services Institutional Performance Analytics | =8.1.0 | |
Oracle Financial Services Price Creation and Discovery | =8.0.6 | |
Oracle Financial Services Price Creation and Discovery | =8.0.7 | |
Oracle Financial Services Retail Customer Analytics | =8.0.6 | |
Oracle Global Lifecycle Management Opatch | <12.2.0.1.20 | |
Oracle Insurance Policy Administration J2EE | =11.0.2.25 | |
Oracle Insurance Policy Administration J2EE | =11.1.0.15 | |
Oracle Jd Edwards Enterpriseone Orchestrator | <9.2.4.2 | |
Oracle Jd Edwards Enterpriseone Tools | <9.2.4.2 | |
Oracle Primavera Unifier | >=17.7<=17.12 | |
Oracle Primavera Unifier | =16.1 | |
Oracle Primavera Unifier | =16.2 | |
Oracle Primavera Unifier | =18.8 | |
Oracle Primavera Unifier | =19.12 | |
Oracle Retail Merchandising System | =15.0 | |
Oracle Retail Sales Audit | =14.1 | |
Oracle Retail Service Backbone | =14.1 | |
Oracle Retail Service Backbone | =15.0 | |
Oracle Retail Service Backbone | =16.0 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
Oracle Retail Xstore Point of Service | =18.0 | |
Oracle Retail Xstore Point of Service | =19.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-11112 is a vulnerability found in FasterXML jackson-databind 2.x before 2.9.10.4 that mishandles the interaction between serialization gadgets and typing.
The severity of CVE-2020-11112 is high, with a CVSS score of 8.1.
CVE-2020-11112 can lead to data confidentiality and integrity compromises, as well as system availability issues.
FasterXML jackson-databind 2.x up to but excluding 2.9.10.4 is affected by CVE-2020-11112.
To fix CVE-2020-11112, update FasterXML jackson-databind to version 2.9.10.4 or later.