CVE-2019-20330

high-risk

Published 2020-01-03

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Do I need to act?

1.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: e8697cdbf415028b171f9b7698f3308eda00a3c7, ba9ac61920a4391568f4959e399a25833eae9cf6, f78b6ec284cea3f3f57e8ea21a969b3735679905

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Jackson-Databind

Banking Platform

Communications Billing And Revenue Management

Communications Cloud Native Core Network Slice Selection Function

Communications Contacts Server

Communications Evolved Communications Application Server

Communications Instant Messaging Server

Communications Network Charging And Control

Customer Management And Segmentation Foundation

Enterprise Manager Base Platform

Global Lifecycle Management Opatch

Goldengate Application Adapters

Goldengate Stream Analytics

Jd Edwards Enterpriseone Orchestrator

Jd Edwards Enterpriseone Tools

Primavera Unifier

Affected Vendors

Debian Oracle Netapp Fasterxml

References (66)

Patch https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1....

Patch https://github.com/FasterXML/jackson-databind/issues/2526

https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9e...

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab...

https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036...

https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7d...

https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae7...

https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646...

https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d94535...

https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33dd...

https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7ef...

https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37c...

https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a...

https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b12...

https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb...

https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af...

https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2b...

https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4...

https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf047...

https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653...

and 46 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 5/34 · Minimal

Exposure 25/34 · High