CVE-2019-20330

Home/CVE/FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CVE

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CRITICAL · CVSS 9.8 EPSS 0.01914

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-502Deserialization of Untrusted Data

▤

Affected Products & Versions

fasterxml jackson-databind>= 2.0.0 and < 2.7.9.7
fasterxml jackson-databind>= 2.8.0 and < 2.8.11.5
fasterxml jackson-databind>= 2.9.0 and < 2.9.10.2
oracle banking platform>= 2.4.0 and <= 2.9.0
oracle communications billing and revenue managementall versions
oracle communications cloud native core network slice selection functionall versions
oracle communications contacts serverall versions
oracle communications evolved communications application serverall versions
Show all 37 affected productsoracle communications instant messaging serverall versions
oracle communications network charging and control>= 12.0.0 and <= 12.0.3
oracle communications network charging and controlall versions
oracle customer management and segmentation foundationall versions
oracle enterprise manager base platformall versions
oracle global lifecycle management opatch< 11.2.0.3.23
oracle global lifecycle management opatch>= 12.2.0.1.0 and < 12.2.0.1.19
oracle global lifecycle management opatch>= 13.9.4.0.0 and < 13.9.4.2.1
oracle goldengate application adaptersall versions
oracle goldengate stream analytics< 19.1.0.0.1
oracle jd edwards enterpriseone orchestrator< 9.2.4.2
oracle jd edwards enterpriseone tools< 9.2.4.2
oracle primavera unifier>= 17.7 and <= 17.12
oracle primavera unifierall versions
oracle retail merchandising systemall versions
oracle retail sales auditall versions
oracle retail xstore point of serviceall versions
oracle siebel engineering - installer \& deployment<= 2.20.5
oracle siebel ui framework<= 20.5
oracle trace file analyzerall versions
oracle webcenter portalall versions
oracle weblogic serverall versions
debian linuxall versions
netapp active iq unified manager>= 7.3
netapp active iq unified manager>= 9.5
netapp oncommand api servicesall versions
netapp service level managerall versions
netapp snapcenterall versions
netapp steelstore cloud integrated storageall versions

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven com.fasterxml.jackson.core:jackson-databind CRITICAL fixed in 2.6.7.4

▣

Scoring & Timeline

9.8

CRITICAL · CVSS v3.1 · cve@mitre.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD03 Jan 2020 · 04:15 AM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

suse-csafopenSUSE-SU-2024:10868-1
usnUSN-4813-1
rhsaRHBA-2020:1494Important
rhsaRHSA-2020:3192Important
rhsaRHBA-2020:3255Important
Show all 12 vendor advisoriesrhsaRHSA-2020:3197Important
rhsaRHSA-2020:3196Important
rhsaRHSA-2020:2333Moderate
rhsaRHSA-2020:2067Important
rhsaRHSA-2020:0951Moderate
rhsaRHSA-2020:1644Important
rhsaRHSA-2020:0939Important