Vulnerability Name:

CVE-2020-10650 (CCN-234219)

Assigned:2020-11-29
Published:2020-11-29
Updated:2023-04-30
Summary:FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the unsafe deserialization of data when handling interactions related to the class ignite-jta. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS v3 Severity:8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-10650

Source: XF
Type: UNKNOWN
fasterxml-cve202010650-code-exec(234219)

Source: CCN
Type: GitHub Advisory Database
jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: jackson-databind GIT Repository
Fix #2658

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: cve@mitre.org
Type: Exploit, Third Party Advisory
cve@mitre.org

Source: CCN
Type: SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324
Deserialization of Untrusted Data

Source: CCN
Type: Mend Vulnerability Database
CVE-2020-10650

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:fasterxml:jackson-databind:2.9.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.9.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.9.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.6.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.6.7.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    fasterxml jackson-databind 2.9.10.1
    fasterxml jackson-databind 2.9.10.2
    fasterxml jackson-databind 2.9.10.3
    fasterxml jackson-databind 2.6.7.2
    fasterxml jackson-databind 2.6.7.3