VIR Vulnerability Intelligence Relay

CVE-2020-35728

high
Published 2020-12-27 ยท Modified 2024-02-18
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.1

Description

Serialization gadget exploit in jackson-databind

Predictions

Exploit likelihood
88%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Mixed 6 releases
VersionStatusFixed in
trixie Fixed 2.12.1-1
sid Fixed 2.12.1-1
forky Fixed 2.12.1-1
bullseye Fixed 2.12.1-1
bookworm Fixed 2.12.1-1
9.0 Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
java Mavencom.fasterxml.jackson.core:jackson-databind>=2.0.0,<2.9.10.82.9.10.8

Application impact
VendorProductVersionsFixed
fasterxmljackson-databind{"startIncluding":"2.0.0","endExcluding":"2.6.7.5"}2.6.7.5
netappservice_level_manager-
oracle oracleagile_plm9.3.6
oracle oracleapplication_testing_suite13.3.0.1
oracle oracleautovue21.0.2
oracle oraclebanking_corporate_lending_process_management14.2
oracle oraclebanking_corporate_lending_process_management14.3
oracle oraclebanking_corporate_lending_process_management14.5
oracle oraclebanking_credit_facilities_process_management14.2
oracle oraclebanking_credit_facilities_process_management14.3
oracle oraclebanking_credit_facilities_process_management14.5
oracle oraclebanking_extensibility_workbench14.2
oracle oraclebanking_extensibility_workbench14.3
oracle oraclebanking_extensibility_workbench14.5
oracle oraclebanking_supply_chain_finance14.2
oracle oraclebanking_supply_chain_finance14.3
oracle oraclebanking_supply_chain_finance14.5
oracle oraclebanking_treasury_management14.4
oracle oraclebanking_virtual_account_management14.2.0
oracle oraclebanking_virtual_account_management14.3.0
oracle oraclebanking_virtual_account_management14.5.0
oracle oracleblockchain_platform{"endIncluding":"21.1.2"}
oracle oraclecommerce_platform{"startIncluding":"11.3.0","endIncluding":"11.3.2"}
oracle oraclecommerce_platform11.2.0
oracle oraclecommunications_billing_and_revenue_management7.5.0.23.0
oracle oraclecommunications_billing_and_revenue_management12.0.0.3.0
oracle oraclecommunications_cloud_native_core_policy1.14.0
oracle oraclecommunications_cloud_native_core_unified_data_repository1.4.0
oracle oraclecommunications_convergent_charging_controller12.0.4.0.0
oracle oraclecommunications_diameter_signaling_route{"startIncluding":"8.0.0.0","endIncluding":"8.5.0.0"}
oracle oraclecommunications_element_manager{"startIncluding":"8.2.0.0","endIncluding":"8.2.4.0"}
oracle oraclecommunications_evolved_communications_application_server7.1
oracle oraclecommunications_network_charging_and_control12.0.4.0.0
oracle oraclecommunications_policy_management12.5.0
oracle oraclecommunications_services_gatekeeper7.0
oracle oraclecommunications_session_report_manager{"startIncluding":"8.0.0.0","endIncluding":"8.2.2.1"}
oracle oraclecommunications_session_route_manager{"startIncluding":"8.2.0.0","endIncluding":"8.2.2.1"}
oracle oraclecommunications_unified_inventory_management7.4.1
oracle oracledata_integrator12.2.1.4.0
oracle oraclegoldengate_application_adapters19.1.0.0.0
oracle oracleinsurance_policy_administration{"startIncluding":"11.1.0","endIncluding":"11.3.0"}
oracle oracleinsurance_policy_administration11.0.2
oracle oracleinsurance_rules_palette{"startIncluding":"11.1.0","endIncluding":"11.3.0"}
oracle oracleinsurance_rules_palette11.0.2
oracle oraclejd_edwards_enterpriseone_orchestrator{"endExcluding":"9.2.5.3"}9.2.5.3
oracle oraclejd_edwards_enterpriseone_tools{"endExcluding":"9.2.5.3"}9.2.5.3
oracle oracleprimavera_gateway{"startIncluding":"17.12.0","endIncluding":"17.12.11"}
oracle oracleprimavera_gateway20.12.0
oracle oracleprimavera_unifier{"startIncluding":"17.7","endIncluding":"17.12"}
oracle oracleprimavera_unifier20.12
oracle oracleretail_customer_management_and_segmentation_foundation{"startIncluding":"16.0","endIncluding":"19.0"}
oracle oracleretail_merchandising_system15.0.3
oracle oracleretail_service_backbone14.1.3.2
oracle oracleretail_service_backbone15.0.3.1
oracle oracleretail_service_backbone16.0.3.0
oracle oracleretail_xstore_point_of_service16.0.6
oracle oracleretail_xstore_point_of_service17.0.4
oracle oracleretail_xstore_point_of_service18.0.3
oracle oracleretail_xstore_point_of_service19.0.2
oracle oraclewebcenter_portal12.2.1.3.0
oracle oraclewebcenter_portal12.2.1.4.0

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.