CVE-2020-10650

Published: Dec 26, 2022Modified: Aug 19, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Affected (10)

Products: Debian: Debian Linux · Netapp: Active Iq Unified Manager · Fasterxml: Jackson Databind · +1 more

Show all products

Debian: Debian Linux · Netapp: Active Iq Unified Manager · Fasterxml: Jackson Databind · Oracle: Retail Merchandising System, Retail Sales Audit

1 product

1 product

Active Iq Unified Manager

1 product

Jackson Databind

2 products

Retail Merchandising System

Retail Sales Audit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	Before 2.9.10.4
Fasterxml Jackson Databind	Version 2.10.0 prerelease1
Fasterxml Jackson Databind	Version 2.10.0 prerelease2
Fasterxml Jackson Databind	Version 2.10.0 prerelease3

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Oracle Retail Merchandising System	Version 15.0
Oracle Retail Sales Audit	Version 14.1

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (16)

https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2658

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/advisories/GHSA-rpr3-cw39-3pxh

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html

Source: cve@mitre.org

Third Party Advisory

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Source: cve@mitre.org

ExploitThird Party Advisory

https://security.netapp.com/advisory/ntap-20230818-0007/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2658

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/advisories/GHSA-rpr3-cw39-3pxh

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://security.netapp.com/advisory/ntap-20230818-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.