CVE-2020-35728

high-risk

Published 2020-12-27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Do I need to act?

40.5% chance of exploitation in next 30 days

EPSS score — higher than 59% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (20)

Jackson-Databind

Debian Linux

Service Level Manager

Agile Plm

Application Testing Suite

Autovue

Banking Corporate Lending Process Management

Banking Credit Facilities Process Management

Banking Extensibility Workbench

Banking Supply Chain Finance

Banking Treasury Management

Banking Virtual Account Management

Affected Vendors

Debian Oracle Netapp Fasterxml

References (20)

Patch https://github.com/FasterXML/jackson-databind/issues/2999

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-n...

Third Party Advisory https://security.netapp.com/advisory/ntap-20210129-0007/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujul2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html