CVE-2021-20190: SSRF
First published: Fri Jan 15 2021(Updated: )
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Disconnected Log Collector | <=v1.0 - v1.8.2 | |
| redhat/jackson-databind | <2.9.10.7 | 2.9.10.7 |
| maven/com.fasterxml.jackson.core:jackson-databind | <2.6.7.5 | 2.6.7.5 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.9.10.7 | 2.9.10.7 |
| FasterXML jackson-databind | <2.6.7.5 | |
| FasterXML jackson-databind | >=2.7.0<2.9.10.7 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand API Services | ||
| NetApp OnCommand Insight | ||
| NetApp Service Level Manager | ||
| Apache NiFi | >=1.7.0<=1.12.1 | |
| Debian Debian Linux | =9.0 | |
| Oracle Commerce Guided Search And Experience Manager | =11.3.2 |
Remedy
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid javax.swing in the classpath
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20190 https://nvd.nist.gov/vuln/detail/CVE-2021-20190 https://github.com/advisories/GHSA-5949-rw7g-wx7w
- https://bugzilla.redhat.com/show_bug.cgi?id=1916633
- https://access.redhat.com/errata/RHSA-2021:1515
- https://access.redhat.com/errata/RHSA-2021:1230
- https://access.redhat.com/security/cve/cve-2021-20190
- https://github.com/FasterXML/jackson-databind/issues/2854
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://security.netapp.com/advisory/ntap-20210219-0008/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/195243
- https://www.ibm.com/support/pages/node/7042313 (Advisory)
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917284
- https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- https://github.com/advisories/GHSA-5949-rw7g-wx7w (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2021-20190
- https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- https://security.netapp.com/advisory/ntap-20210219-0008
Frequently Asked Questions
What is CVE-2021-20190?
CVE-2021-20190 is a vulnerability in jackson-databind that mishandles the interaction between serialization gadgets and typing, posing a threat to data confidentiality, integrity, and system availability.
How severe is CVE-2021-20190?
CVE-2021-20190 has a severity score of 8.1 (high).
Which software is affected by CVE-2021-20190?
CVE-2021-20190 affects jackson-databind versions before 2.9.10.7 and 2.6.7.5.
How can I fix CVE-2021-20190?
To fix CVE-2021-20190, update jackson-databind to version 2.9.10.7 or higher.
Where can I find more information about CVE-2021-20190?
You can find more information about CVE-2021-20190 at the following references: [CVE-2021-20190](https://www.cve.org/CVERecord?id=CVE-2021-20190), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-20190), [GitHub Advisory](https://github.com/advisories/GHSA-5949-rw7g-wx7w), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1916633), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:1515)
- collector/redhat-cve
- collector/ibm-support
- agent/first-publish-date
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20190
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5949-rw7g-wx7w
- agent/last-modified-date
- agent/references
- agent/tags
- collector/github-advisory
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- vendor/ibm
- canonical/ibm disconnected log collector
- version/ibm disconnected log collector/v1.0 - v1.8.2
- package-manager/redhat
- package-manager/maven
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.7.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand api services
- canonical/netapp oncommand insight
- canonical/netapp service level manager
- vendor/apache
- canonical/apache nifi
- version/apache nifi/1.7.0
- version/apache nifi/1.12.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle commerce guided search and experience manager
- version/oracle commerce guided search and experience manager/11.3.2