Multiple vulnerabilities in FasterXML jackson-databind



Published: 2021-01-11
Risk High
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2020-36188
CVE-2020-35491
CVE-2020-35490
CVE-2020-35728
CVE-2020-36189
CVE-2020-36187
CVE-2020-36186
CVE-2020-36185
CVE-2020-36184
CVE-2020-36181
CVE-2020-36183
CVE-2020-36182
CVE-2020-36180
CVE-2020-36179
CWE-ID CWE-502
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #13 is available.
Vulnerable software
Subscribe
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU49367

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36188

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2996

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Deserialization of Untrusted Data

EUVDB-ID: #VU49380

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-35491

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2986

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Deserialization of Untrusted Data

EUVDB-ID: #VU49379

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-35490

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2986

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Deserialization of Untrusted Data

EUVDB-ID: #VU49378

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-35728

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/2999
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Deserialization of Untrusted Data

EUVDB-ID: #VU49377

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36189

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2996

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Deserialization of Untrusted Data

EUVDB-ID: #VU49376

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36187

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2997

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Deserialization of Untrusted Data

EUVDB-ID: #VU49375

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36186

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2997

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Deserialization of Untrusted Data

EUVDB-ID: #VU49374

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36185

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2998

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Deserialization of Untrusted Data

EUVDB-ID: #VU49373

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36184

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/2998

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Deserialization of Untrusted Data

EUVDB-ID: #VU49372

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36181

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/3004

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Deserialization of Untrusted Data

EUVDB-ID: #VU49371

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36183

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/3003

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Deserialization of Untrusted Data

EUVDB-ID: #VU49370

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36182

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/3004

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Deserialization of Untrusted Data

EUVDB-ID: #VU49369

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36180

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/3004

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Deserialization of Untrusted Data

EUVDB-ID: #VU49368

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36179

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.10.7


CPE2.3 External links

http://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
http://github.com/FasterXML/jackson-databind/issues/3004

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###