FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets     and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
    (CVE-2020-36189)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0303 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 17.12.11, 18.8.11, 19.12.10, and 20.12.0 versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Nimbus JOSE+JWT)). Supported versions that are affected are 18.8.0-18.8.11. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in takeover of Primavera Gateway.
    (CVE-2019-17195)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Lodash)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10 and     20.12.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data and     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.
    (CVE-2020-8203)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Netty)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11 and 19.12.0-19.12.10.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data.
    (CVE-2021-21409)     
  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    jackson-databind). (CVE-2020-36189)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 17.12, 18.8, 19.12, and 20.12 versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Security-in-Depth issue in the Oracle Spatial and Graph Network Data Model (jackson-databind) component of     Oracle Primavera Unifier. (CVE-2020-36189)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core     (Apache PDFbox)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and 20.12. Easily     exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Primavera     Unifier executes to compromise Primavera Unifier. Successful attacks require human interaction from a     person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Unifier.
    (CVE-2021-27906)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core UI     (dojo)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and 20.12. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Unifier.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Primavera Unifier accessible data. (CVE-2020-5258)

  - Security-in-Depth issue in the Oracle Spatial and Graph Network Data Model (jackson-databind) component of     Oracle Database Server. This vulnerability cannot be exploited in the context of this product.
    (CVE-2020-25649)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple security vulnerabilities were found in Jackson Databind.

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS.

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS.

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u9.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
251721	Linux Distros Unpatched Vulnerability : CVE-2020-36189	Nessus	Misc.	high
194923	Splunk Enterprise 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0303)	Nessus	CGI abuses	critical
151974	Oracle Primavera Gateway (Jul 2021 CPU)	Nessus	CGI abuses	critical
151973	Oracle Primavera Unifier (Jul 2021 CPU)	Nessus	CGI abuses	high
149019	Debian DLA-2638-1 : jackson-databind security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-36189

high

Tenable Plugins

high

critical

critical

high

high