VIR Vulnerability Intelligence Relay

CVE-2020-11113

high
Published 2020-03-31 ยท Modified 2026-02-04
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.8

Description

jackson-databind mishandles the interaction between serialization gadgets and typing

Predictions

Exploit likelihood
92%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
debian Debian Mixed 6 releases
VersionStatusFixed in
trixie Fixed 2.11.1-1
sid Fixed 2.11.1-1
forky Fixed 2.11.1-1
bullseye Fixed 2.11.1-1
bookworm Fixed 2.11.1-1
8.0 Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
java Mavencom.fasterxml.jackson.core:jackson-databind>=2.9.0,<2.9.10.42.9.10.4

Application impact
VendorProductVersionsFixed
fasterxmljackson-databind{"startIncluding":"2.0.0","endExcluding":"2.9.10.4"}2.9.10.4
netappsteelstore_cloud_integrated_storage-
oracle oracleagile_plm9.3.6
oracle oracleautovue_for_agile_product_lifecycle_management21.0.2
oracle oraclebanking_digital_experience18.1
oracle oraclebanking_digital_experience18.2
oracle oraclebanking_digital_experience18.3
oracle oraclebanking_digital_experience19.1
oracle oraclebanking_digital_experience19.2
oracle oraclebanking_digital_experience20.1
oracle oraclebanking_platform{"startIncluding":"2.4.0","endIncluding":"2.9.0"}
oracle oraclecommunications_calendar_server8.0.0.4.0
oracle oraclecommunications_contacts_server8.0.0.5.0
oracle oraclecommunications_diameter_signaling_router{"startIncluding":"8.0.0","endIncluding":"8.2.2"}
oracle oraclecommunications_element_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oracle oraclecommunications_evolved_communications_application_server7.1
oracle oraclecommunications_instant_messaging_server10.0.1.4.0
oracle oraclecommunications_network_charging_and_control{"startIncluding":"12.0.0","endIncluding":"12.0.3"}
oracle oraclecommunications_network_charging_and_control6.0.1
oracle oraclecommunications_session_report_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oracle oraclecommunications_session_route_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oracle oracleenterprise_manager_base_platform13.3.0.0
oracle oracleenterprise_manager_base_platform13.4.0.0
oracle oraclefinancial_services_analytical_applications_infrastructure{"startIncluding":"8.0.6","endIncluding":"8.1.0"}
oracle oraclefinancial_services_institutional_performance_analytics8.0.6
oracle oraclefinancial_services_institutional_performance_analytics8.0.7
oracle oraclefinancial_services_institutional_performance_analytics8.1.0
oracle oraclefinancial_services_price_creation_and_discovery8.0.6
oracle oraclefinancial_services_price_creation_and_discovery8.0.7
oracle oraclefinancial_services_retail_customer_analytics8.0.6
oracle oracleglobal_lifecycle_management_opatch{"endExcluding":"12.2.0.1.20"}12.2.0.1.20
oracle oracleinsurance_policy_administration_j2ee11.0.2.25
oracle oracleinsurance_policy_administration_j2ee11.1.0.15
oracle oraclejd_edwards_enterpriseone_orchestrator{"endExcluding":"9.2.4.2"}9.2.4.2
oracle oraclejd_edwards_enterpriseone_tools{"endExcluding":"9.2.4.2"}9.2.4.2
oracle oracleprimavera_unifier{"startIncluding":"17.7","endIncluding":"17.12"}
oracle oracleprimavera_unifier16.1
oracle oracleprimavera_unifier16.2
oracle oracleprimavera_unifier18.8
oracle oracleprimavera_unifier19.12
oracle oracleretail_merchandising_system15.0
oracle oracleretail_sales_audit14.1
oracle oracleretail_service_backbone14.1
oracle oracleretail_service_backbone15.0
oracle oracleretail_service_backbone16.0
oracle oracleretail_xstore_point_of_service15.0
oracle oracleretail_xstore_point_of_service16.0
oracle oracleretail_xstore_point_of_service17.0
oracle oracleretail_xstore_point_of_service18.0
oracle oracleretail_xstore_point_of_service19.0
oracle oraclewebcenter_portal12.2.1.3.0
oracle oraclewebcenter_portal12.2.1.4.0
oracle oracleweblogic_server12.2.1.3.0
oracle oracleweblogic_server12.2.1.4.0

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.