A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
    This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this     vulnerability is data integrity. (CVE-2020-25649)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0303 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:4312 advisory.

    The jackson-databind package provides general data-binding functionality for Jackson, which works on top     of Jackson core streaming API.

    Security Fix(es):

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (XXE) (CVE-2020-25649)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1678-1 advisory.

  - A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
    This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this     vulnerability is data integrity. (CVE-2020-25649)

  - This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before     2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a     java.lang.OutOfMemoryError exception. (CVE-2020-28491)

  - jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large     depth of nested objects. (CVE-2020-36518)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the April 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - An XML external entity vulnerability in the bundled jackson-databind component which allows an unauthenticated     attacker with network access via HTTP to access, create or delete all data accessible to Oracle WebCenter     Portal. (CVE-2020-25649)

  - Denial of service vulnerabilities in the bundled Apache Tika, jsoup, Netty and Apache Commons Compress components which     allow an unauthenticated attacker with network access via HTTP to cause a hang or frequently repeatable crash     of the Oracle WebCenter Portal. (CVE-2020-28657, CVE-2021-36090, CVE-2021-37137, CVE-2021-37714)

  - A path traversal vulnerability in the bundled Apache Commons IO component which allows an unauthenticated attacker     with network access via HTTP to read, update or delete a subset of data accessible to Oracle WebCenter Portal.
    (CVE-2021-29425)

  - A Denial of service vulnerability in the bundled Apache PDFBox component which allows an unauthenticated attacker     with logon to the infrastructure where Oracle WebCenter Portal executes, with human interaction from another user     to cause a hang or frequently repeatable crash of the Oracle WebCenter Portal. (CVE-2021-31912)

  - A cross-site scripting vulnerability in the bundled CKEditor component which allows a low privileged attacker     with network access via HTTP, with human interaction from another user, to read, update or delete a subset of     data accessible to Oracle WebCenter Portal. (CVE-2021-41165)

  - A remote code execution vulnerability in the bundled Apache Log4J component which allows a high privileged     attacker with network access via HTTP to execute arbitrary code on the Oracle WebCenter Portal. (CVE-2021-44832)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions     that are affected are 12.1.0.2 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require     human interaction from a person other than the attacker and while the vulnerability is in Advanced     Networking Option, attacks may significantly impact additional products. Successful attacks of this     vulnerability can result in takeover of Advanced Networking Option. (CVE-2021-2351)

  - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected     are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any     Procedure, Alter Any Table privilege with network access via Oracle Net to compromise Oracle Text.
    Successful   attacks of this vulnerability can result in takeover of Oracle Text. (CVE-2021-2328)

  - Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are     affected   are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having     Create Any   Procedure, Create Public Synonym privilege with network access via Oracle Net to compromise     Oracle XML DB.   Successful attacks of this vulnerability can result in takeover of Oracle XML DB.
    (CVE-2021-2329)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 17.12.11, 18.8.11, 19.12.10, and 20.12.0 versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Nimbus JOSE+JWT)). Supported versions that are affected are 18.8.0-18.8.11. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in takeover of Primavera Gateway.
    (CVE-2019-17195)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Lodash)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10 and     20.12.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data and     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.
    (CVE-2020-8203)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Netty)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11 and 19.12.0-19.12.10.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data.
    (CVE-2021-21409)     
  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    jackson-databind). (CVE-2020-36189)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 17.12, 18.8, 19.12, and 20.12 versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Security-in-Depth issue in the Oracle Spatial and Graph Network Data Model (jackson-databind) component of     Oracle Primavera Unifier. (CVE-2020-36189)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core     (Apache PDFbox)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and 20.12. Easily     exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Primavera     Unifier executes to compromise Primavera Unifier. Successful attacks require human interaction from a     person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Unifier.
    (CVE-2021-27906)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core UI     (dojo)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and 20.12. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Unifier.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Primavera Unifier accessible data. (CVE-2020-5258)

  - Security-in-Depth issue in the Oracle Spatial and Graph Network Data Model (jackson-databind) component of     Oracle Database Server. This vulnerability cannot be exploited in the context of this product.
    (CVE-2020-25649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.

  - An unspecified vulnerability exists in the Coherence Container component. Easily exploitable vulnerability     allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2021-2135)

  - An unspecified vulnerability exists in the Core component. Easily exploitable vulnerability allows     unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful     attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2021-2136)     
  - An unspecified vulnerability exists in the TopLink Integration component. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Oracle WebLogic Server accessible data. (CVE-2021-2157)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of the Oracle Coherence installed on the remote host is missing a critical patch update. It is, therefore, affected by a vulnerability, as referenced in the April 2021 CPU advisory.

  - Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core   (jackson-databind)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily   exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise   Oracle Coherence. Successful attacks of this vulnerability can result in unauthorized creation,   deletion or modification access to critical data or all Oracle Coherence accessible data (CVE-2020-25649).

  - Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported   versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily   exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise   Oracle Coherence. Successful attacks of this vulnerability can result in unauthorized access to critical   data or complete access to all Oracle Coherence accessible data (CVE-2021-2277). 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 32 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2021-1d8254899c advisory.

  - A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
    This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this     vulnerability is data integrity. (CVE-2020-25649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for jackson-databind fixes the following issues :

jackson-databind was updated to 2.10.5.1 :

  - #2589: `DOMDeserializer`:
    setExpandEntityReferences(false) may not prevent     external entity expansion in all cases (CVE-2020-25649,     bsc#1177616)

  - #2787 (partial fix): NPE after add mixin for enum

  - #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws     'should never occur'

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0381 advisory.

    The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform     that allows system administrators to view and manage virtual machines. The Manager provides a     comprehensive range of features including search capabilities, resource management, live migrations, and     virtual infrastructure provisioning.

    The Manager is a JBoss Application Server application that provides several interfaces through which the     virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal,     and a Representational State Transfer (REST) Application Programming Interface (API).

    Security Fix(es):

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (XXE) (CVE-2020-25649)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.11.1. It is, therefore, affected by multiple vulnerabilities:

  - A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
    This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability     is data integrity. (CVE-2020-25649)   
  - Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents     of double quoted strings. (CVE-2017-1000487)

  - In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration     with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was     vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and     content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an     intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on     unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake     pipelined request would not be interpreted by the intermediary as a request. (CVE-2017-7657)

  - In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java     deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable     classes exist in the classpath, the attacker can run arbitrary code. (CVE-2016-10750)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5342 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (CVE-2020-25649)

    * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String     literals are used (CVE-2020-25638)

    * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5340 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (CVE-2020-25649)

    * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String     literals are used (CVE-2020-25638)

    * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5341 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (CVE-2020-25649)

    * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String     literals are used (CVE-2020-25638)

    * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:4401 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3 for Red     Hat Enterprise Linux 6, 7, and 8.

    Security Fix(es):

    * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external     entity (CVE-2020-25649)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that there was an external entity expansion vulnerability in jackson-databind, a Java library for processing JSON.

For Debian 9 'Stretch', this problem has been fixed in version 2.8.6-1+deb9u8.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
229895	Linux Distros Unpatched Vulnerability : CVE-2020-25649	Nessus	Misc.	high
194923	Splunk Enterprise 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0303)	Nessus	CGI abuses	critical
170324	RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:4312)	Nessus	Red Hat Local Security Checks	high
161231	SUSE SLED15 / SLES15 Security Update : jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (SUSE-SU-2022:1678-1)	Nessus	SuSE Local Security Checks	high
159954	Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2022 CPU)	Nessus	Misc.	high
152026	Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)	Nessus	Databases	critical
151974	Oracle Primavera Gateway (Jul 2021 CPU)	Nessus	CGI abuses	critical
151973	Oracle Primavera Unifier (Jul 2021 CPU)	Nessus	CGI abuses	high
148924	Oracle WebLogic Server Multiple Vulnerabilities (Apr 2021 CPU)	Nessus	Misc.	high
148923	Oracle Coherence (Apr 2021 CPU)	Nessus	Misc.	high
146373	Fedora 32 : jackson-databind (2021-1d8254899c)	Nessus	Fedora Local Security Checks	high
146144	openSUSE Security Update : jackson-databind (openSUSE-2021-221)	Nessus	SuSE Local Security Checks	high
146074	RHEL 8 : RHV-M(ovirt-engine) 4.4.z security, update [ovirt-4.4.4] (Low) (RHSA-2021:0381)	Nessus	Red Hat Local Security Checks	high
144306	JFrog < 7.11.1 Multiple Vulnerabilities	Nessus	Misc.	critical
143474	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5342)	Nessus	Red Hat Local Security Checks	high
143473	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5340)	Nessus	Red Hat Local Security Checks	high
143472	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5341)	Nessus	Red Hat Local Security Checks	high
142028	RHEL 6 / 7 / 8 : Red Hat JBoss Enterprise Application Platform 7.3 (RHSA-2020:4401)	Nessus	Red Hat Local Security Checks	high
141463	Debian DLA-2406-1 : jackson-databind security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-25649

high

Tenable Plugins

high

critical

high

high

high

critical

critical

high

high

high

high

high

high

critical

high

high

high

high

high