XML External Entity injection in jackson-databind

#VU48979 XML External Entity injection in jackson-databind

Published: 2020-12-03 | Updated: 2024-03-26

Vulnerability identifier: #VU48979

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25649

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to modify information on the system.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.10.0 - 2.10.5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in HPE Unified Mediation Bus (UMB)

Atlassian Bitbucket Data Center and Server update for third-party software

Atlassian Confluence Data Center and Server update for third-party software

Atlassian Crowd Data Center and Server update for third-party software

Atlassian Jira Service Management Data Center and Server update for third-party software

Atlassian Jira Data Center and Server update for third-party software

Atlassian Bamboo Data Center and Server update for third-party applications

Multiple vulnerabilities in IBM Sterling Order Management

Multiple vulnerabilities in IBM Application Performance Management products

Multiple vulnerabilities in Oracle Insurance Policy Administration Operational Data Store for Life and Annuity