Vulnerability Name:

CVE-2020-24750 (CCN-188470)

Assigned:2020-07-16
Published:2020-07-16
Updated:2022-05-12
Summary:FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSS v3 Severity:8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-24750

Source: XF
Type: UNKNOWN
fasterxml-cve202024750-code-exec(188470)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b

Source: CCN
Type: jackson-databind GIT Repository
Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750) #2798

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2798

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20201009-0003/

Source: CCN
Type: IBM Security Bulletin 6343203 (Cloud Pak System)
Vulnerability identified in jackson-databind shipped with IBM Cloud Pak System (CVE-2020-24750)

Source: CCN
Type: IBM Security Bulletin 6364977 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

Source: CCN
Type: IBM Security Bulletin 6367943 (Spectrum Protect Plus)
Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6378366 (Cognos Business Intelligence)
IBM Cognos Business Intelligence has addressed multiple vulnerabilities (Q12021)

Source: CCN
Type: IBM Security Bulletin 6380384 (Aspera High-Speed Transfer Server)
jackson-databind vulnerability CVE-2020-24750 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0

Source: CCN
Type: IBM Security Bulletin 6496727 (Sterling B2B Integrator)
Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6525182 (Spectrum Copy Data Management)
Vulnerabilities in Jackson, jQuery, and Dom4j affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6528214 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies

Source: CCN
Type: IBM Security Bulletin 6555142 (Cloud Private)
IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750)

Source: CCN
Type: IBM Security Bulletin 6593435 (Process Mining)
Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6595755 (Disconnected Log Collector)
IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6597241 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6828455 (z/Transaction Processing Facility)
z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages

Source: CCN
Type: IBM Security Bulletin 6840955 (Log Analysis)
Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6910171 (Integration Designer)
Multiple CVEs affect IBM Integration Designer

Source: CCN
Type: IBM Security Bulletin 6983482 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities.

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2021
Oracle Critical Patch Update Advisory - January 2021

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.10.6)

    • Configuration 2:
  • cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2)
  • OR cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_calendar_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_contacts_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_element_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.2.1)
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:* (Version <= 21.5)
  • OR cpe:/a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* (Version <= 21.2)
  • OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version < 21.1.2)
  • OR cpe:/a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.2.1)

    • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:fasterxml:jackson-databind:2.9.10.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    fasterxml jackson-databind *
    oracle application testing suite 13.3.0.1
    oracle agile plm 9.3.6
    oracle communications policy management 12.5.0
    oracle communications diameter signaling router *
    oracle communications offline mediation controller 12.0.0.3.0
    oracle communications services gatekeeper 7.0
    oracle communications contacts server 8.0.0.5.0
    oracle communications calendar server 8.0.0.4.0
    oracle banking credit facilities process management 14.3.0
    oracle banking corporate lending process management 14.3.0
    oracle autovue for agile product lifecycle management 21.0.2
    oracle banking corporate lending process management 14.2.0
    oracle banking corporate lending process management 14.5.0
    oracle banking credit facilities process management 14.2.0
    oracle banking credit facilities process management 14.5.0
    oracle banking liquidity management 14.2
    oracle banking liquidity management 14.3
    oracle banking liquidity management 14.5
    oracle banking supply chain finance 14.2.0
    oracle banking supply chain finance 14.3.0
    oracle banking supply chain finance 14.5.0
    oracle communications calendar server 8.0
    oracle communications contacts server 8.0
    oracle communications element manager *
    oracle communications messaging server 8.1
    oracle communications session route manager *
    oracle communications unified inventory management 7.4.1
    oracle identity manager connector 11.1.1.5.0
    oracle siebel core - server framework *
    oracle siebel ui framework *
    oracle blockchain platform *
    oracle communications instant messaging server 10.0.1.5.0
    oracle communications pricing design center 12.0.0.4.0
    oracle communications session report manager *
    debian debian linux 9.0
    fasterxml jackson-databind 2.9.10.5
    ibm cognos business intelligence 10.2.2
    ibm spectrum protect plus 10.1.0
    ibm cloud private 3.1.0
    ibm cloud private 3.1.1
    ibm cloud private 3.1.2
    ibm sterling b2b integrator 6.0.0.0
    ibm sterling b2b integrator 5.2.0.0
    ibm cloud private 3.2.0
    ibm sterling b2b integrator 6.0.1.0
    ibm cloud pak system 2.3.0.1
    ibm watson discovery 2.0.0
    ibm cloud pak system 2.3.1.1
    ibm cloud private 3.2.1 cd
    ibm log analysis 1.3.5.3
    ibm log analysis 1.3.6.0
    ibm spectrum protect plus 10.1.6
    ibm cloud private 3.2.2 cd
    ibm log analysis 1.3.6.1
    ibm watson discovery 2.1.4
    ibm sterling b2b integrator 6.1.0.0
    ibm integration designer 20.0.0.2
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm spectrum copy data management 2.2.13
    ibm cognos analytics 11.2.1
    ibm security verify governance 10.0