CVE-2020-10650
high-risk
Published 2022-12-26
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
Do I need to act?
~
9.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (10)
References (16)
Third Party Advisory
https://github.com/advisories/GHSA-rpr3-cw39-3pxh
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230818-0007/
Third Party Advisory
https://github.com/advisories/GHSA-rpr3-cw39-3pxh
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230818-0007/
51
/ 100
high-risk
Severity
24/34 · High
Exploitability
11/34 · Low
Exposure
16/34 · Moderate