Vulnerabilities > CVE-2020-35728 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

NVD

Published: 2020-12-27

Updated: 2023-11-07

Summary

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Vulnerable Configurations

Part	Description	Count
Application	Fasterxml Fasterxml Jackson Databind 2.9.0 Fasterxml Jackson Databind 2.9.1 Fasterxml Jackson Databind 2.9.2 Fasterxml Jackson Databind 2.9.3 Fasterxml Jackson Databind 2.9.4 Fasterxml Jackson Databind 2.9.5 Fasterxml Jackson Databind 2.9.6 Fasterxml Jackson Databind 2.9.7 Fasterxml Jackson Databind 2.9.8 Fasterxml Jackson Databind 2.9.9 Fasterxml Jackson Databind 2.9.9.1 Fasterxml Jackson Databind 2.9.9.2 Fasterxml Jackson Databind 2.9.9.3 Fasterxml Jackson Databind 2.9.9.4 Fasterxml Jackson Databind 2.9.10 Fasterxml Jackson Databind 2.9.10.1 Fasterxml Jackson Databind 2.9.10.2 Fasterxml Jackson Databind 2.9.10.3 Fasterxml Jackson Databind 2.9.10.4 Fasterxml Jackson Databind 2.9.10.5 Fasterxml Jackson Databind 2.9.10.6 Fasterxml Jackson Databind 2.9.10.7	27
Application	Netapp Netapp Service Level Manager -	1
Application	Oracle Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Application Testing Suite 13.3.0.1 Oracle Primavera Unifier 17.7 Oracle Primavera Unifier 17.8 Oracle Primavera Unifier 17.9 Oracle Primavera Unifier 17.10 Oracle Primavera Unifier 17.11 Oracle Primavera Unifier 17.12 Oracle Primavera Unifier 20.12 Oracle Primavera Unifier 18.8 Oracle Primavera Unifier 18.8.2 Oracle Primavera Unifier 18.8.3 Oracle Primavera Unifier 18.8.4 Oracle Primavera Unifier 19.12 Oracle Agile PLM 9.3.6 Oracle Communications Policy Management 12.5.0 Oracle Communications Billing AND Revenue Management 12.0.0.3.0 Oracle Communications Billing AND Revenue Management 7.5.0.23.0 Oracle Communications Services Gatekeeper 7.0 Oracle Retail Merchandising System 15.0.3 Oracle Communications Evolved Communications Application Server 7.1 Oracle Goldengate Application Adapters 19.1.0.0.0 Oracle Data Integrator 12.2.1.4.0 Oracle Banking Virtual Account Management 14.3.0 Oracle Banking Virtual Account Management 14.2.0 Oracle Banking Virtual Account Management 14.5.0 Oracle Autovue 21.0.2 Oracle Insurance Rules Palette 11.0.2 Oracle Insurance Rules Palette 11.1.0 Oracle Insurance Rules Palette 11.1.0.15 Oracle Insurance Rules Palette 11.2.0 Oracle Insurance Rules Palette 11.2.0.26 Oracle Insurance Rules Palette 11.2.7 Oracle Insurance Rules Palette 11.2.8 Oracle Insurance Rules Palette 11.3.0 Oracle Commerce Platform 11.3.0 Oracle Commerce Platform 11.3.1 Oracle Commerce Platform 11.3.2 Oracle Commerce Platform 11.2.0 Oracle Communications Unified Inventory Management 7.4.1 Oracle Retail Xstore Point OF Service 16.0.6 Oracle Retail Xstore Point OF Service 17.0.4 Oracle Retail Xstore Point OF Service 18.0.3 Oracle Retail Xstore Point OF Service 19.0.2 Oracle Retail Service Backbone 15.0.3.1 Oracle Retail Service Backbone 14.1.3.2 Oracle Retail Service Backbone 16.0.3.0 Oracle JD Edwards Enterpriseone Tools - Oracle JD Edwards Enterpriseone Tools 4.0.1.0 Oracle JD Edwards Enterpriseone Tools 9.1 Oracle JD Edwards Enterpriseone Tools 9.1.5 Oracle JD Edwards Enterpriseone Tools 9.2 Oracle JD Edwards Enterpriseone Tools 9.2.4.0 Oracle JD Edwards Enterpriseone Tools 9.2.4.2 Oracle JD Edwards Enterpriseone Tools 9.2.5.0 Oracle JD Edwards Enterpriseone Tools 9.2.5.3 Oracle JD Edwards Enterpriseone Orchestrator - Oracle JD Edwards Enterpriseone Orchestrator 9.2 Oracle JD Edwards Enterpriseone Orchestrator 9.2.4.2 Oracle JD Edwards Enterpriseone Orchestrator 9.2.5.0 Oracle JD Edwards Enterpriseone Orchestrator 9.2.5.1 Oracle JD Edwards Enterpriseone Orchestrator 9.2.5.3 Oracle Insurance Policy Administration 11.1.0 Oracle Insurance Policy Administration 11.2.0 Oracle Insurance Policy Administration 11.2.7 Oracle Insurance Policy Administration 11.2.8 Oracle Insurance Policy Administration 11.3.0 Oracle Insurance Policy Administration 11.0.2 Oracle Primavera Gateway 20.12.0 Oracle Primavera Gateway 19.12.0 Oracle Primavera Gateway 19.12.4 Oracle Primavera Gateway 19.12.10 Oracle Primavera Gateway 18.8.0 Oracle Primavera Gateway 18.8.8 Oracle Primavera Gateway 18.8.8.1 Oracle Primavera Gateway 18.8.9 Oracle Primavera Gateway 18.8.11 Oracle Primavera Gateway 17.12.0 Oracle Primavera Gateway 17.12.6 Oracle Primavera Gateway 17.12.7 Oracle Primavera Gateway 17.12.8 Oracle Primavera Gateway 17.12.9 Oracle Primavera Gateway 17.12.10 Oracle Primavera Gateway 17.12.11 Oracle Communications Cloud Native Core Unified Data Repository 1.4.0 Oracle Communications Network Charging AND Control 12.0.4.0.0 Oracle Communications Convergent Charging Controller 12.0.4.0.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0 Oracle Retail Customer Management AND Segmentation Foundation 16.0.1 Oracle Retail Customer Management AND Segmentation Foundation 16.0.2 Oracle Retail Customer Management AND Segmentation Foundation 17.0 Oracle Retail Customer Management AND Segmentation Foundation 17.0.1 Oracle Retail Customer Management AND Segmentation Foundation 18.0 Oracle Retail Customer Management AND Segmentation Foundation 18.1 Oracle Retail Customer Management AND Segmentation Foundation 19.0 Oracle Banking Credit Facilities Process Management 14.2 Oracle Banking Credit Facilities Process Management 14.3 Oracle Banking Credit Facilities Process Management 14.5 Oracle Banking Corporate Lending Process Management 14.2 Oracle Banking Corporate Lending Process Management 14.3 Oracle Banking Corporate Lending Process Management 14.5 Oracle Banking Supply Chain Finance 14.2 Oracle Banking Supply Chain Finance 14.3 Oracle Banking Supply Chain Finance 14.5 Oracle Banking Treasury Management 14.4 Oracle Communications Diameter Signaling Route 8.0.0.0 Oracle Communications Diameter Signaling Route 8.3 Oracle Communications Diameter Signaling Route 8.5.0.0 Oracle Communications Session Route Manager 8.2.0.0 Oracle Communications Session Route Manager 8.2.1 Oracle Communications Session Route Manager 8.2.2 Oracle Communications Session Route Manager 8.2.2.1 Oracle Communications Session Report Manager 8.0.0.0 Oracle Communications Session Report Manager 8.1.0 Oracle Communications Session Report Manager 8.1.1 Oracle Communications Session Report Manager 8.2.0 Oracle Communications Session Report Manager 8.2.1 Oracle Communications Session Report Manager 8.2.2 Oracle Communications Session Report Manager 8.2.2.1 Oracle Communications Cloud Native Core Policy 1.14.0 Oracle Banking Extensibility Workbench 14.2 Oracle Banking Extensibility Workbench 14.3 Oracle Banking Extensibility Workbench 14.5 Oracle Communications Element Manager 8.2.0.0 Oracle Communications Element Manager 8.2.1 Oracle Communications Element Manager 8.2.2 Oracle Communications Element Manager 8.2.2.1 Oracle Communications Element Manager 8.2.4.0 Oracle Blockchain Platform -	130
OS	Debian Debian Debian Linux 9.0	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References