First published: Thu Sep 17 2020(Updated: )
FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
FasterXML jackson-databind | >=2.0.0<2.6.7.5 | |
FasterXML jackson-databind | >=2.7.0<2.9.10.6 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
Oracle Banking Corporate Lending Process Management | =14.2.0 | |
Oracle Banking Corporate Lending Process Management | =14.3.0 | |
Oracle Banking Corporate Lending Process Management | =14.5.0 | |
Oracle Banking Credit Facilities Process Management | =14.2.0 | |
Oracle Banking Credit Facilities Process Management | =14.3.0 | |
Oracle Banking Credit Facilities Process Management | =14.5.0 | |
Oracle Banking Liquidity Management | =14.2 | |
Oracle Banking Liquidity Management | =14.3 | |
Oracle Banking Liquidity Management | =14.5 | |
Oracle Banking Supply Chain Finance | =14.2.0 | |
Oracle Banking Supply Chain Finance | =14.3.0 | |
Oracle Banking Supply Chain Finance | =14.5.0 | |
Oracle Blockchain Platform | <21.1.2 | |
Oracle Communications Calendar Server | =8.0 | |
Oracle Communications Calendar Server | =8.0.0.4.0 | |
Oracle Communications Contacts Server | =8.0 | |
Oracle Communications Contacts Server | =8.0.0.5.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
Oracle Communications Element Manager | >=8.2.0<=8.2.4.0 | |
Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
Oracle Communications Messaging Server | =8.1 | |
Oracle Communications Offline Mediation Controller | =12.0.0.3.0 | |
Oracle Communications Policy Management | =12.5.0 | |
Oracle Communications Pricing Design Center | =12.0.0.4.0 | |
Oracle Communications Services Gatekeeper | =7.0 | |
Oracle Communications Session Report Manager | >=8.0.0.0<=8.2.2.1 | |
Oracle Communications Session Route Manager | >=8.2.0<=8.2.2.1 | |
Oracle Communications Unified Inventory Management | =7.4.1 | |
Oracle Identity Manager Connector | =11.1.1.5.0 | |
Oracle Siebel Core - Server Framework | <=21.5 | |
Oracle Siebel Ui Framework | <=21.2 | |
Debian Debian Linux | =9.0 | |
redhat/rh-maven35-jackson-databind | <0:2.7.6-2.11.el7 | 0:2.7.6-2.11.el7 |
redhat/jackson-databind | <2.9.10.6 | 2.9.10.6 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<=2.9.10.5 | 2.9.10.6 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.0<=2.6.7.4 | 2.6.7.5 |
IBM Disconnected Log Collector | <=v1.0 - v1.8.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-24750 is a vulnerability in jackson-databind versions prior to 2.9.10.6 which mishandles the interaction between serialization gadgets and typing.
CVE-2020-24750 has a severity rating of 8.1, which is categorized as high.
CVE-2020-24750 poses a threat to data confidentiality.
CVE-2020-24750 poses a threat to system availability.
To fix CVE-2020-24750, update to jackson-databind version 2.9.10.6 or higher.