Vulnerability Name: CVE-2020-35491 (CCN-193394) Assigned: 2017-12-22 Published: 2017-12-22 Updated: 2022-09-08 Summary: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. CVSS v3 Severity: 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2020-35491 On Jackson CVEs: Don't Panic - Here is what you need to know https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 fasterxml-cve202035491-code-exec(193394) Block 2 more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491) #2986 https://github.com/FasterXML/jackson-databind/issues/2986 [debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update https://security.netapp.com/advisory/ntap-20210122-0005/ Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator IBM Planning Analytics Workspace is affected by security vulnerabilities Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities IBM Cognos Analytics has addressed multiple vulnerabilities Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Multiple CVEs affect IBM Integration Designer IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. IBM QRadar SIEM includes components with known vulnerabilities N/A https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html N/A https://www.oracle.com/security-alerts/cpuoct2021.html Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.9.10.8)Configuration 2 :cpe:/a:netapp:service_level_manager:-:*:*:*:*:*:*:* Configuration 3 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_merchandising_system:15.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* (Version >= 16.0 and <= 19.0) OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:documaker:12.6.3:*:*:*:*:*:*:* OR cpe:/a:oracle:documaker:12.6.4:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_treasury_management:14.4:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_diameter_signaling_route:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.5.0.0) OR cpe:/a:oracle:communications_diameter_signaling_route:-:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version <= 21.1.2) Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.10.7:*:*:*:*:*:*:* AND cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* BACK
fasterxml jackson-databind *
netapp service level manager -
debian debian linux 9.0
oracle webcenter portal 12.2.1.3.0
oracle application testing suite 13.3.0.1
oracle banking platform 2.6.2
oracle agile plm 9.3.6
oracle webcenter portal 12.2.1.4.0
oracle sd-wan edge 9.0
oracle communications services gatekeeper 7.0
oracle retail merchandising system 15.0.3
oracle banking platform 2.7.0
oracle banking platform 2.7.1
oracle banking platform 2.9.0
oracle communications evolved communications application server 7.1
oracle banking platform 2.8.0
oracle banking virtual account management 14.3.0
oracle insurance policy administration j2ee 11.0.2
oracle communications unified inventory management 7.4.1
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0.4
oracle retail xstore point of service 18.0.3
oracle retail xstore point of service 19.0.2
oracle banking platform 2.10.0
oracle communications cloud native core unified data repository 1.4.0
oracle retail customer management and segmentation foundation *
oracle autovue for agile product lifecycle management 21.0.2
oracle documaker 12.6.3
oracle documaker 12.6.4
oracle banking virtual account management 14.2.0
oracle banking virtual account management 14.5.0
oracle banking treasury management 14.4
oracle communications diameter signaling route *
oracle communications diameter signaling route -
oracle communications pricing design center 12.0.0.4.0
oracle communications cloud native core policy 1.14.0
oracle communications instant messaging server 10.0.1.5.0
oracle communications offline mediation controller 12.0.0.3
oracle blockchain platform *
fasterxml jackson-databind 2.9.10.7
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 5.2.0.0
ibm sterling b2b integrator 6.0.1.0
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm log analysis 1.3.6.1
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm cognos analytics 11.2.1
ibm planning analytics workspace 2.0
ibm security verify governance 10.0
ibm robotic process automation for cloud pak 21.0.1
ibm robotic process automation for cloud pak 21.0.2
ibm robotic process automation for cloud pak 21.0.3
ibm robotic process automation for cloud pak 21.0.5
ibm robotic process automation for cloud pak 21.0.6
ibm robotic process automation for cloud pak 21.0.4
ibm robotic process automation for cloud pak 21.0.0
ibm qradar security information and event manager 7.5.0 -
Denotes that component is vulnerable