Multiple vulnerabilities in FasterXML jackson-databind



Published: 2020-03-09 | Updated: 2022-11-23
Risk High
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2020-9546
CVE-2020-9547
CVE-2020-9548
CVE-2020-11111
CVE-2020-10673
CVE-2020-10672
CVE-2020-10969
CVE-2020-10968
CVE-2020-11113
CVE-2020-11112
CVE-2020-11620
CVE-2020-11619
CVE-2020-10650
CWE-ID CWE-502
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #9 is available.
Vulnerable software
Subscribe
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

Updated: 01.04.2020

Added vulnerabilities #4-10.

Updated: 12.04.2020

Changed bulletin status to patched.

Updated 20.04.2020

Added vulnerabilities #11-12

Updated: 23.11.2022

Added vulnerability #13

1) Deserialization of Untrusted Data

EUVDB-ID: #VU25830

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-9546

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3, 2.8.0 - 2.8.11.5, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.2.0 - 2.2.4, 2.1.0 - 2.1.5, 2.0.0 - 2.0.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2631
http://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
http://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Deserialization of Untrusted Data

EUVDB-ID: #VU25831

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-9547

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3, 2.8.0 - 2.8.11.5, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.2.0 - 2.2.4, 2.1.0 - 2.1.5, 2.0.0 - 2.0.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2634
http://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E
http://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Deserialization of Untrusted Data

EUVDB-ID: #VU25832

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-9548

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3, 2.8.0 - 2.8.11.5, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.2.0 - 2.2.4, 2.1.0 - 2.1.5, 2.0.0 - 2.0.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2634
http://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
http://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
http://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Deserialization of Untrusted Data

EUVDB-ID: #VU26488

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-11111

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.activemq.*. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2664
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Deserialization of Untrusted Data

EUVDB-ID: #VU26494

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-10673

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2660
http://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Deserialization of Untrusted Data

EUVDB-ID: #VU26493

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-10672

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2659
http://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Deserialization of Untrusted Data

EUVDB-ID: #VU26492

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-10969

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to  javax.swing.JEditorPane. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2642
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Deserialization of Untrusted Data

EUVDB-ID: #VU26491

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-10968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2662
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Deserialization of Untrusted Data

EUVDB-ID: #VU26490

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-11113

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2670
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Deserialization of Untrusted Data

EUVDB-ID: #VU26489

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-11112

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2666
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Deserialization of Untrusted Data

EUVDB-ID: #VU27032

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-11620

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected software mishandles the interaction between serialization gadgets and typing, related to "org.apache.commons.jelly.impl.Embedded" (aka commons-jelly). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.11.6, 2.7.0 - 2.7.9.7, 2.9.0 - 2.9.10.3, 2.6.0 - 2.6.8, 2.2.0 - 2.2.4, 2.1.0 - 2.1.5, 2.0.0 - 2.0.6, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2682
http://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Deserialization of Untrusted Data

EUVDB-ID: #VU27031

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-11619

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to affected software mishandles the interaction between serialization gadgets and typing, related to "org.springframework.aop.config.MethodLocatingFactoryBean" (aka spring-aop). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.11.6, 2.7.0 - 2.7.9.7, 2.9.0 - 2.9.10.3, 2.6.0 - 2.6.8, 2.2.0 - 2.2.4, 2.1.0 - 2.1.5, 2.0.0 - 2.0.6, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2680
http://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Deserialization of Untrusted Data

EUVDB-ID: #VU69512

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-10650

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data when handling interactions related to the class ignite-jta. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.3, 2.6.0 - 2.6.8


CPE2.3 External links

http://github.com/advisories/GHSA-rpr3-cw39-3pxh
http://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###