CVE-2020-25649

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

References

https://github.com/FasterXML/jackson-databind/issues/2589

https://bugzilla.redhat.com/show_bug.cgi?id=1887664

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb63[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.servicecomb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://security.netapp.com/advisory/ntap-20210108-0007/

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/

https://lists.apache.org/thread.html/[email protected]%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.turbine.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.iotdb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.iotdb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.knox.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.knox.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://lists.apache.org/thread.html/[email protected]%3Cuser.spark.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hive.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2020-12-03

Updated: 2021-10-26

Type: CWE-611

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* versions up to 1.6.1 (inclusive)

Configuration 5

OR

cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_treasury_management:4.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_platform:11.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:* versions from 11.3.0 to 11.3.2 (inclusive)

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:* versions from 11.1.0 to 11.3.0 (inclusive)

cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:* versions from 11.1.0 to 11.3.0 (inclusive)

cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 18.8.0 to 18.8.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 19.12.0 to 19.12.10 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*

cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*

cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
152026Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)NessusDatabases
high
151974Oracle Primavera Gateway (Jul 2021 CPU)NessusCGI abuses
high
151973Oracle Primavera Unifier (Jul 2021 CPU)NessusCGI abuses
high
148924Oracle WebLogic Server Multiple Vulnerabilities (Apr 2021 CPU)NessusMisc.
critical
148923Oracle Coherence (Apr 2021 CPU)NessusMisc.
high
146373Fedora 32 : jackson-databind (2021-1d8254899c)NessusFedora Local Security Checks
high
146144openSUSE Security Update : jackson-databind (openSUSE-2021-221)NessusSuSE Local Security Checks
high
146074RHEL 8 : RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4] (Low) (RHSA-2021:0381)NessusRed Hat Local Security Checks
high
144306JFrog < 7.11.1 Multiple VulnerabilitiesNessusMisc.
critical
143474RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5342)NessusRed Hat Local Security Checks
high
143473RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5340)NessusRed Hat Local Security Checks
high
143472RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5341)NessusRed Hat Local Security Checks
high
142028RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3 (RHSA-2020:4401)NessusRed Hat Local Security Checks
high
141463Debian DLA-2406-1 : jackson-databind security updateNessusDebian Local Security Checks
high