CVE-2020-14061

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-14061

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-14061.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-14061

Aliases

GHSA-c2q3-4qrh-fm48

Related

Published

2020-06-14T20:15:10Z

Modified

2024-09-11T04:33:38.879677Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

References

Affected packages

Debian:11 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type: GIT
Repo: https://github.com/fasterxml/jackson-databind
Events: Introduced

e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8

Fixed

82c84c74e99ab04cd46b5349f24be1c753034ce1

Affected versions

jackson-databind-2.*

jackson-databind-2.6.7.1

jackson-databind-2.7.9.2

jackson-databind-2.7.9.3

jackson-databind-2.7.9.4

jackson-databind-2.7.9.5

jackson-databind-2.7.9.6

jackson-databind-2.7.9.7

jackson-databind-2.8.10

jackson-databind-2.8.11

jackson-databind-2.8.11.1

jackson-databind-2.8.11.2

jackson-databind-2.8.11.3

jackson-databind-2.8.11.4

jackson-databind-2.8.11.5

jackson-databind-2.8.11.6

jackson-databind-2.9.0

jackson-databind-2.9.1

jackson-databind-2.9.10

jackson-databind-2.9.10.1

jackson-databind-2.9.10.2

jackson-databind-2.9.10.3

jackson-databind-2.9.10.4

jackson-databind-2.9.2

jackson-databind-2.9.3

jackson-databind-2.9.4

jackson-databind-2.9.5

jackson-databind-2.9.6

jackson-databind-2.9.7

jackson-databind-2.9.8

jackson-databind-2.9.9

jackson-databind-2.9.9.1

jackson-databind-2.9.9.2

jackson-databind-2.9.9.3