CVE-2020-25649

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-25649
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25649.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-25649
Aliases
Downstream
Related
Published
2020-12-03T17:15:12.503Z
Modified
2026-05-18T05:52:30.092686257Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "vendor_product": "fedoraproject:fedora",
            "extracted_events": [
                {
                    "last_affected": "32"
                }
            ],
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:agile_plm",
            "extracted_events": [
                {
                    "last_affected": "9.3.6"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*"
            ],
            "vendor_product": "oracle:agile_product_lifecycle_management_integration_pack",
            "extracted_events": [
                {
                    "last_affected": "3.6"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:banking_apis",
            "extracted_events": [
                {
                    "introduced": "18.1"
                },
                {
                    "last_affected": "18.3"
                },
                {
                    "last_affected": "19.1"
                },
                {
                    "last_affected": "19.2"
                },
                {
                    "last_affected": "20.1"
                },
                {
                    "last_affected": "21.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:banking_platform",
            "extracted_events": [
                {
                    "last_affected": "2.6.2"
                },
                {
                    "last_affected": "2.7.0"
                },
                {
                    "last_affected": "2.7.1"
                },
                {
                    "last_affected": "2.8.0"
                },
                {
                    "last_affected": "2.9.0"
                },
                {
                    "last_affected": "2.10.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:banking_treasury_management:4.4:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:banking_treasury_management",
            "extracted_events": [
                {
                    "last_affected": "4.4"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:blockchain_platform",
            "extracted_events": [
                {
                    "fixed": "21.1.2"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:coherence",
            "extracted_events": [
                {
                    "last_affected": "12.2.1.4.0"
                },
                {
                    "last_affected": "14.1.1.0.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:commerce_platform",
            "extracted_events": [
                {
                    "introduced": "11.3.0"
                },
                {
                    "last_affected": "11.3.2"
                },
                {
                    "last_affected": "11.2.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:commerce_platform:11.2.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_billing_and_revenue_management",
            "extracted_events": [
                {
                    "last_affected": "7.5.0.23.0"
                },
                {
                    "last_affected": "12.0.0.3.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_cloud_native_core_unified_data_repository",
            "extracted_events": [
                {
                    "last_affected": "1.4.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_convergent_charging_controller",
            "extracted_events": [
                {
                    "last_affected": "12.0.4.0.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_evolved_communications_application_server",
            "extracted_events": [
                {
                    "last_affected": "7.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_instant_messaging_server",
            "extracted_events": [
                {
                    "last_affected": "10.0.1.5.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_interactive_session_recorder",
            "extracted_events": [
                {
                    "last_affected": "6.3"
                },
                {
                    "last_affected": "6.4"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpes": [
                "cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*",
                "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_messaging_server",
            "extracted_events": [
                {
                    "last_affected": "8.0.2"
                },
                {
                    "last_affected": "8.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_network_charging_and_control",
            "extracted_events": [
                {
                    "last_affected": "12.0.4.0.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_offline_mediation_controller",
            "extracted_events": [
                {
                    "last_affected": "12.0.0.3"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_pricing_design_center",
            "extracted_events": [
                {
                    "last_affected": "12.0.0.4.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_services_gatekeeper",
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:communications_unified_inventory_management",
            "extracted_events": [
                {
                    "last_affected": "7.4.1"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:goldengate_application_adapters",
            "extracted_events": [
                {
                    "last_affected": "19.1.0.0.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:health_sciences_empirica_signal",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                },
                {
                    "last_affected": "9.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:insurance_policy_administration",
            "extracted_events": [
                {
                    "introduced": "11.1.0"
                },
                {
                    "last_affected": "11.3.0"
                },
                {
                    "last_affected": "11.0.2"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:insurance_rules_palette",
            "extracted_events": [
                {
                    "introduced": "11.1.0"
                },
                {
                    "last_affected": "11.3.0"
                },
                {
                    "last_affected": "11.0.2"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:jd_edwards_enterpriseone_orchestrator",
            "extracted_events": [
                {
                    "fixed": "9.2.5.3"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:jd_edwards_enterpriseone_tools",
            "extracted_events": [
                {
                    "fixed": "9.2.5.3"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:primavera_gateway",
            "extracted_events": [
                {
                    "introduced": "17.7"
                },
                {
                    "last_affected": "17.12"
                },
                {
                    "introduced": "17.12.0"
                },
                {
                    "last_affected": "17.12.11"
                },
                {
                    "introduced": "18.8.0"
                },
                {
                    "last_affected": "18.8.11"
                },
                {
                    "introduced": "19.12.0"
                },
                {
                    "last_affected": "19.12.10"
                },
                {
                    "last_affected": "20.12.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:retail_service_backbone",
            "extracted_events": [
                {
                    "last_affected": "14.1.3.2"
                },
                {
                    "last_affected": "15.0.3.1"
                },
                {
                    "last_affected": "16.0.3"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:retail_xstore_point_of_service",
            "extracted_events": [
                {
                    "last_affected": "16.0.6"
                },
                {
                    "last_affected": "17.0.4"
                },
                {
                    "last_affected": "18.0.3"
                },
                {
                    "last_affected": "19.0.2"
                },
                {
                    "last_affected": "20.0.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:sd-wan_edge",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:utilities_framework",
            "extracted_events": [
                {
                    "last_affected": "4.3.0.5.0"
                },
                {
                    "last_affected": "4.3.0.6.0"
                },
                {
                    "last_affected": "4.4.0.0.0"
                },
                {
                    "last_affected": "4.4.0.2.0"
                },
                {
                    "last_affected": "4.4.0.3.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "source": "CPE_FIELD",
            "vendor_product": "oracle:webcenter_portal",
            "extracted_events": [
                {
                    "last_affected": "12.2.1.3.0"
                },
                {
                    "last_affected": "12.2.1.4.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"
            ]
        }
    ]
}
References

Affected packages

Git
github.com/apache/iotdb

Affected ranges

Type
GIT
Repo
https://github.com/apache/iotdb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
06adff7fad83c324aaeb90160766ecfd0bd2b84a
Database specific 
{
    "cpe": "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25649.json"
github.com/fasterxml/jackson-databind

Affected ranges

Type
GIT
Repo
https://github.com/fasterxml/jackson-databind
Events
Introduced
21f90cf247018c1286cc20544029782450dc270a
Fixed
fe5805bb27111c6fd010b04e7dc92a7536869301
Introduced
e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8
Fixed
d0e9952ea70d1af5c512322a32456f237afb9e9b
Introduced
a1eedfdeea46f2a8da0ed23f06e7e1d39050499b
Fixed
94484ca0177dd02c3ed83a5a5bbbcffc07a44d03
Database specific 
{
    "cpe": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "2.6.7.4"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.10.7"
        },
        {
            "introduced": "2.10.0"
        },
        {
            "fixed": "2.10.5.1"
        }
    ]
}

Affected versions

jackson-databind-2.*
jackson-databind-2.10.0
jackson-databind-2.10.1
jackson-databind-2.10.2
jackson-databind-2.10.3
jackson-databind-2.10.4
jackson-databind-2.10.5
jackson-databind-2.6.0
jackson-databind-2.6.1
jackson-databind-2.6.2
jackson-databind-2.6.3
jackson-databind-2.6.4
jackson-databind-2.6.5
jackson-databind-2.6.6
jackson-databind-2.6.7
jackson-databind-2.6.7.1
jackson-databind-2.6.7.2
jackson-databind-2.6.7.3
jackson-databind-2.9.0
jackson-databind-2.9.1
jackson-databind-2.9.10
jackson-databind-2.9.10.1
jackson-databind-2.9.10.2
jackson-databind-2.9.10.3
jackson-databind-2.9.10.4
jackson-databind-2.9.10.5
jackson-databind-2.9.10.6
jackson-databind-2.9.3
jackson-databind-2.9.4
jackson-databind-2.9.5
jackson-databind-2.9.6
jackson-databind-2.9.7
jackson-databind-2.9.8
jackson-databind-2.9.9
jackson-databind-2.9.9.1
jackson-databind-2.9.9.2
jackson-databind-2.9.9.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25649.json"
github.com/quarkusio/quarkus

Affected ranges

Type
GIT
Repo
https://github.com/quarkusio/quarkus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
76871146a2f242c252fc43676f43756adca218e2
Database specific 
{
    "cpe": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.6.1"
        }
    ]
}

Affected versions

1.*
1.6.1.Final

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25649.json"