Vulnerabilities > CVE-2020-35491 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

NVD

Published: 2020-12-17

Updated: 2022-09-08

Summary

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Vulnerable Configurations

Part	Description	Count
Application	Fasterxml Fasterxml Jackson Databind 2.0.0 Fasterxml Jackson Databind 2.0.1 Fasterxml Jackson Databind 2.0.2 Fasterxml Jackson Databind 2.0.4 Fasterxml Jackson Databind 2.0.5 Fasterxml Jackson Databind 2.0.6 Fasterxml Jackson Databind 2.1.0 Fasterxml Jackson Databind 2.1.1 Fasterxml Jackson Databind 2.1.2 Fasterxml Jackson Databind 2.1.3 Fasterxml Jackson Databind 2.1.4 Fasterxml Jackson Databind 2.1.5 Fasterxml Jackson Databind 2.2.0 Fasterxml Jackson Databind 2.2.1 Fasterxml Jackson Databind 2.2.2 Fasterxml Jackson Databind 2.2.3 Fasterxml Jackson Databind 2.2.4 Fasterxml Jackson Databind 2.3.0 Fasterxml Jackson Databind 2.3.1 Fasterxml Jackson Databind 2.3.2 Fasterxml Jackson Databind 2.3.3 Fasterxml Jackson Databind 2.3.4 Fasterxml Jackson Databind 2.3.5 Fasterxml Jackson Databind 2.4.0 Fasterxml Jackson Databind 2.4.1 Fasterxml Jackson Databind 2.4.1.1 Fasterxml Jackson Databind 2.4.1.2 Fasterxml Jackson Databind 2.4.1.3 Fasterxml Jackson Databind 2.4.2 Fasterxml Jackson Databind 2.4.3 Fasterxml Jackson Databind 2.4.4 Fasterxml Jackson Databind 2.4.5 Fasterxml Jackson Databind 2.4.5.1 Fasterxml Jackson Databind 2.4.6 Fasterxml Jackson Databind 2.4.6.1 Fasterxml Jackson Databind 2.5.0 Fasterxml Jackson Databind 2.5.1 Fasterxml Jackson Databind 2.5.2 Fasterxml Jackson Databind 2.5.3 Fasterxml Jackson Databind 2.5.4 Fasterxml Jackson Databind 2.5.5 Fasterxml Jackson Databind 2.6.0 Fasterxml Jackson Databind 2.6.1 Fasterxml Jackson Databind 2.6.2 Fasterxml Jackson Databind 2.6.3 Fasterxml Jackson Databind 2.6.4 Fasterxml Jackson Databind 2.6.5 Fasterxml Jackson Databind 2.6.6 Fasterxml Jackson Databind 2.6.7 Fasterxml Jackson Databind 2.6.7.1 Fasterxml Jackson Databind 2.6.7.2 Fasterxml Jackson Databind 2.6.7.3 Fasterxml Jackson Databind 2.6.7.4 Fasterxml Jackson Databind 2.7.0 Fasterxml Jackson Databind 2.7.1 Fasterxml Jackson Databind 2.7.1-1 Fasterxml Jackson Databind 2.7.2 Fasterxml Jackson Databind 2.7.3 Fasterxml Jackson Databind 2.7.4 Fasterxml Jackson Databind 2.7.5 Fasterxml Jackson Databind 2.7.6 Fasterxml Jackson Databind 2.7.7 Fasterxml Jackson Databind 2.7.8 Fasterxml Jackson Databind 2.7.9 Fasterxml Jackson Databind 2.7.9.1 Fasterxml Jackson Databind 2.7.9.2 Fasterxml Jackson Databind 2.7.9.3 Fasterxml Jackson Databind 2.7.9.4 Fasterxml Jackson Databind 2.7.9.5 Fasterxml Jackson Databind 2.7.9.6 Fasterxml Jackson Databind 2.7.9.7 Fasterxml Jackson Databind 2.8.0 Fasterxml Jackson Databind 2.8.1 Fasterxml Jackson Databind 2.8.2 Fasterxml Jackson Databind 2.8.3 Fasterxml Jackson Databind 2.8.4 Fasterxml Jackson Databind 2.8.5 Fasterxml Jackson Databind 2.8.6 Fasterxml Jackson Databind 2.8.7 Fasterxml Jackson Databind 2.8.8 Fasterxml Jackson Databind 2.8.8.1 Fasterxml Jackson Databind 2.8.9 Fasterxml Jackson Databind 2.8.10 Fasterxml Jackson Databind 2.8.11 Fasterxml Jackson Databind 2.8.11.1 Fasterxml Jackson Databind 2.8.11.2 Fasterxml Jackson Databind 2.8.11.3 Fasterxml Jackson Databind 2.8.11.4 Fasterxml Jackson Databind 2.8.11.5 Fasterxml Jackson Databind 2.8.11.6 Fasterxml Jackson Databind 2.9.0 Fasterxml Jackson Databind 2.9.1 Fasterxml Jackson Databind 2.9.2 Fasterxml Jackson Databind 2.9.3 Fasterxml Jackson Databind 2.9.4 Fasterxml Jackson Databind 2.9.5 Fasterxml Jackson Databind 2.9.6 Fasterxml Jackson Databind 2.9.7 Fasterxml Jackson Databind 2.9.8 Fasterxml Jackson Databind 2.9.9 Fasterxml Jackson Databind 2.9.9.1 Fasterxml Jackson Databind 2.9.9.2 Fasterxml Jackson Databind 2.9.9.3 Fasterxml Jackson Databind 2.9.9.4 Fasterxml Jackson Databind 2.9.10 Fasterxml Jackson Databind 2.9.10.1 Fasterxml Jackson Databind 2.9.10.2 Fasterxml Jackson Databind 2.9.10.3 Fasterxml Jackson Databind 2.9.10.4 Fasterxml Jackson Databind 2.9.10.5 Fasterxml Jackson Databind 2.9.10.6 Fasterxml Jackson Databind 2.9.10.7	142
Application	Netapp Netapp Service Level Manager -	1
Application	Oracle Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Application Testing Suite 13.3.0.1 Oracle Banking Platform 2.6.2 Oracle Banking Platform 2.7.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle Banking Platform 2.8.0 Oracle Banking Platform 2.10.0 Oracle Agile PLM 9.3.6 Oracle SD WAN Edge 9.0 Oracle Communications Services Gatekeeper 7.0 Oracle Retail Merchandising System 15.0.3 Oracle Communications Evolved Communications Application Server 7.1 Oracle Banking Virtual Account Management 14.3.0 Oracle Banking Virtual Account Management 14.2.0 Oracle Banking Virtual Account Management 14.5.0 Oracle Insurance Policy Administration J2Ee 11.0.2 Oracle Communications Unified Inventory Management 7.4.1 Oracle Retail Xstore Point OF Service 16.0.6 Oracle Retail Xstore Point OF Service 17.0.4 Oracle Retail Xstore Point OF Service 18.0.3 Oracle Retail Xstore Point OF Service 19.0.2 Oracle Communications Cloud Native Core Unified Data Repository 1.4.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0.1 Oracle Retail Customer Management AND Segmentation Foundation 16.0.2 Oracle Retail Customer Management AND Segmentation Foundation 17.0 Oracle Retail Customer Management AND Segmentation Foundation 17.0.1 Oracle Retail Customer Management AND Segmentation Foundation 18.0 Oracle Retail Customer Management AND Segmentation Foundation 18.1 Oracle Retail Customer Management AND Segmentation Foundation 19.0 Oracle Autovue FOR Agile Product Lifecycle Management 21.0.2 Oracle Documaker 12.6.3 Oracle Documaker 12.6.4 Oracle Banking Treasury Management 14.4 Oracle Communications Diameter Signaling Route 8.0.0.0 Oracle Communications Diameter Signaling Route 8.3 Oracle Communications Diameter Signaling Route 8.5.0.0 Oracle Communications Diameter Signaling Route - Oracle Communications Pricing Design Center 12.0.0.4.0 Oracle Communications Cloud Native Core Policy 1.14.0 Oracle Communications Instant Messaging Server 10.0.1.5.0 Oracle Communications Offline Mediation Controller 12.0.0.3 Oracle Blockchain Platform -	45
OS	Debian Debian Debian Linux 9.0	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.