FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets     and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. (CVE-2020-24750)

Note that Nessus relies on the presence of the package as reported by the vendor.

The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Services     (jackson-databind)). Supported versions that are affected are 21.5 and Prior. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Core -     Server Framework. Successful attacks of this vulnerability can result in takeover of Siebel Core - Server     Framework. (CVE-2020-24750)

  - Vulnerability in the Siebel Core - Automation product of Oracle Siebel CRM (component: Test Automation     (Eclipse Jetty)). Supported versions that are affected are 21.5 and Prior. Easily exploitable     vulnerability allows low privileged attacker with logon to the infrastructure where Siebel Core -     Automation executes to compromise Siebel Core - Automation. Successful attacks of this vulnerability can     result in takeover of Siebel Core - Automation. (CVE-2020-27216)

  - Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Cloud Gateway     (Zookeeper)). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - Server Framework.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of Siebel Core - Server Framework. (CVE-2017-5637)

  - Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Email Marketing     Stand-Alone). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing.
    Successful attacks require human interaction from a person other than the attacker and while the     vulnerability is in Siebel Apps - Marketing, attacks may significantly impact additional products.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Siebel Apps - Marketing accessible data as well as unauthorized read access to a subset of Siebel     Apps - Marketing accessible data. (CVE-2021-2338)

  - Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: Siebel Core - Server     Infrastructure). Supported versions that are affected are 21.5 and Prior. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Siebel CRM.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Siebel CRM accessible data. (CVE-2021-2368)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0303 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:4173 advisory.

    The jackson-databind package provides general data-binding functionality for Jackson, which works on top     of Jackson core streaming API.

    Security Fix(es):

    * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration     (CVE-2020-24750)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple security vulnerabilities were found in Jackson Databind.

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS.

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS.

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u9.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
251671	Linux Distros Unpatched Vulnerability : CVE-2020-24750	Nessus	Misc.	high
212428	Oracle Siebel Server (July 2021 CPU)	Nessus	Misc.	high
194923	Splunk Enterprise 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0303)	Nessus	CGI abuses	critical
170349	RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:4173)	Nessus	Red Hat Local Security Checks	high
149019	Debian DLA-2638-1 : jackson-databind security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-24750

high

Tenable Plugins

high

high

critical

high

high