Vulnerability Name: CVE-2020-24616 (CCN-187229) Assigned: 2020-08-10 Published: 2020-08-10 Updated: 2022-05-12 Summary: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). CVSS v3 Severity: 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2020-24616 fasterxml-cve202024616-code-exec(187229) Block one more gadget type (Anteros-DBCP, CVE-xxxx-xxx) #2814 https://github.com/FasterXML/jackson-databind/issues/2814 [debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://security.netapp.com/advisory/ntap-20200904-0006/ Vulnerability in jackson-databind shipped with IBM Cloud Pak System Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus Potential vulnerability with FasterXML jackson-databind jackson-databind vulnerability CVE-2020-24616 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator Vulnerabilities in Jackson, jQuery, and Dom4j affect IBM Spectrum Copy Data Management IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities IBM Cognos Analytics has addressed multiple vulnerabilities z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Multiple CVEs affect IBM Integration Designer IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. N/A https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html CVE-2020-24616 Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.10.6)Configuration 2 :cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* Configuration 3 :cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2) OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_liquidity_management:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version < 21.1.2) OR cpe:/a:oracle:communications_calendar_server:8.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_contacts_server:8.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_element_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.4.0) OR cpe:/a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.2.1) OR cpe:/a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* (Version <= 21.2) Configuration 4 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.10:*:*:*:*:*:*:* AND cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_developer_cloud:1.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_developer_cloud:1.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_access_manager:9.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* BACK
fasterxml jackson-databind *
netapp active iq unified manager -
netapp active iq unified manager -
netapp active iq unified manager -
oracle application testing suite 13.3.0.1
oracle agile plm 9.3.6
oracle communications policy management 12.5.0
oracle communications diameter signaling router *
oracle communications services gatekeeper 7.0
oracle communications evolved communications application server 7.1
oracle communications contacts server 8.0.0.5.0
oracle communications calendar server 8.0.0.4.0
oracle communications unified inventory management 7.4.1
oracle communications cloud native core unified data repository 1.4.0
oracle autovue for agile product lifecycle management 21.0.2
oracle banking liquidity management 14.2
oracle banking liquidity management 14.3
oracle banking liquidity management 14.5
oracle banking supply chain finance 14.2
oracle banking supply chain finance 14.3
oracle banking supply chain finance 14.5
oracle blockchain platform *
oracle communications calendar server 8.0
oracle communications contacts server 8.0
oracle communications element manager *
oracle communications instant messaging server 10.0.1.5.0
oracle communications messaging server 8.1
oracle communications offline mediation controller 12.0.0.3
oracle communications pricing design center 12.0.0.4.0
oracle communications session report manager *
oracle identity manager connector 11.1.1.5.0
oracle siebel ui framework *
debian debian linux 9.0
fasterxml jackson-databind 2.9.10
ibm spectrum protect plus 10.1.0
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 5.2.0.0
ibm sterling b2b integrator 6.0.1.0
ibm cloud pak system 2.3.0.1
ibm watson developer cloud 1.4.0
ibm cloud pak system 2.3.1.1
ibm watson developer cloud 1.4.1
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm spectrum protect plus 10.1.6
ibm log analysis 1.3.6.1
ibm security verify access 10.0.0
ibm security access manager 9.0.7
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm spectrum copy data management 2.2.13
ibm cognos analytics 11.2.1
ibm security verify governance 10.0
Denotes that component is vulnerable