| Vulnerability Name: | CVE-2020-25649 (CCN-192648) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2020-01-09 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2020-01-09 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2023-02-02 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-25649 Source: CCN Type: Red Hat Bugzilla - Bug 1887664 CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) Source: secalert@redhat.com Type: Issue Tracking, Third Party Advisory secalert@redhat.com Source: XF Type: UNKNOWN fasterxml-cve202025649-weak-security(192648) Source: CCN Type: jackson-databind GIT Repository `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649] #2589 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Patch, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Mailing List, Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Third Party Advisory secalert@redhat.com Source: secalert@redhat.com Type: Third Party Advisory secalert@redhat.com Source: CCN Type: IBM Security Bulletin 6405734 (Global High Availability Mailbox) Vulnerability In Jackson Databind library shipped with IBM Global Mailbox (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6410882 (Spectrum Protect Plus) Vulnerabilities in Node.js and FasterXML jackson-databind affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6412707 (Planning Analytics) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: IBM Security Bulletin 6415989 (Tivoli Netcool/OMNIbus) A vulnerability have been identified in FasterXML Jackson Databind shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6415993 (Spectrum Control) Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control Source: CCN Type: IBM Security Bulletin 6416145 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Source: CCN Type: IBM Security Bulletin 6423757 (Spectrum Symphony) Vulnerability in jackson-databind affect IBM Spectrum Symphony Source: CCN Type: IBM Security Bulletin 6427001 (Curam SPM) Vulnerability in FasterXML Jackson libraries affect IBM Cram Social Program Management (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6427943 (Network Performance Insight) IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6450757 (Events Operator) IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6454183 (Sterling B2B Integrator) Multiple Security Vulnerabilities in Jackson-Databind Affects IBM Sterling B2B Integrator Source: CCN Type: IBM Security Bulletin 6455267 (Security Guardium) IBM Security Guardium is affected by a jackson-databind vulnerability Source: CCN Type: IBM Security Bulletin 6458597 (Aspera High-Speed Transfer Server (HSTS)) FasterXML Jackson Databind vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6461951 (Event Streams) IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6464399 (Cloud Pak System) Vulnerability in jackson-databind affects Cloud Pak System (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6475673 (QRadar SIEM) IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6476332 (WA for ICP) Potential vulnerability with FasterXML jackson-databind Source: CCN Type: IBM Security Bulletin 6479907 (Disconnected Log Collector) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6486051 (Cloud Private) IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6496727 (Sterling B2B Integrator) Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator Source: CCN Type: IBM Security Bulletin 6502211 (Security Access Manager Appliance) Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager Source: CCN Type: IBM Security Bulletin 6525182 (Spectrum Copy Data Management) Vulnerabilities in Jackson, jQuery, and Dom4j affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6528214 (Cloud Pak for Multicloud Management) IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies Source: CCN Type: IBM Security Bulletin 6557106 (Planning Analytics Workspace) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: IBM Security Bulletin 6573001 (Security Guardium) IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) Source: CCN Type: IBM Security Bulletin 6579485 (Engineering Requirements Management DOORS Next) IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6593435 (Process Mining) Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) Source: CCN Type: IBM Security Bulletin 6595755 (Disconnected Log Collector) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6597241 (Cognos Analytics) IBM Cognos Analytics has addressed multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6601921 (Tivoli Network Manager) IBM Tivoli Network Manager is vulnerable to XML external entity (XEE) attacks due to FasterXML (CVE-2020-25649) Source: CCN Type: IBM Security Bulletin 6823731 (Spectrum Protect Backup-Archive Client) Vulnerabilities in FasterXML Jackson Databind and Apache Xerces affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments Source: CCN Type: IBM Security Bulletin 6828455 (z/Transaction Processing Facility) z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: Oracle Critical Patch Update Advisory - April 2021 Oracle Critical Patch Update Advisory - April 2021 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: Oracle CPUApr2022 Oracle Critical Patch Update Advisory - April 2022 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: Oracle CPUJan2022 Oracle Critical Patch Update Advisory - January 2022 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: Oracle CPUJul2021 Oracle Critical Patch Update Advisory - July 2021 Source: CCN Type: Oracle CPUJul2022 Oracle Critical Patch Update Advisory - July 2022 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com Source: CCN Type: Oracle CPUOct2021 Oracle Critical Patch Update Advisory - October 2021 Source: secalert@redhat.com Type: Patch, Third Party Advisory secalert@redhat.com | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||