CVE-2020-14060

high-risk

Published 2020-06-14

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

Do I need to act?

8.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (19)

Jackson-Databind

Active Iq Unified Manager

Steelstore Cloud Integrated Storage

Agile Plm

Banking Digital Experience

Communications Calendar Server

Communications Contacts Server

Communications Diameter Signaling Router

Communications Element Manager

Communications Evolved Communications Application Server

Communications Session Report Manager

Communications Session Route Manager

Affected Vendors

Oracle Netapp Fasterxml

References (18)

Patch https://github.com/FasterXML/jackson-databind/issues/2688

Mailing List https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-n...

Third Party Advisory https://security.netapp.com/advisory/ntap-20200702-0003/

Third Party Advisory https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2021.html