CVE-2020-8840

Published: Feb 10, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Affected (15)

Products: Fasterxml: Jackson Databind · Debian: Debian Linux · Netapp: Oncommand Api Services, Oncommand Workflow Automation, Service Level Manager, Steelstore Cloud Integrated Storage · +2 more

Show all products

Fasterxml: Jackson Databind · Debian: Debian Linux · Netapp: Oncommand Api Services, Oncommand Workflow Automation, Service Level Manager, Steelstore Cloud Integrated Storage · Huawei: Oceanstor 9000 Firmware · Oracle: Global Lifecycle Management Opatch

1 product

1 product

4 products

Oncommand Api Services

Oncommand Workflow Automation

Service Level Manager

Steelstore Cloud Integrated Storage

Huawei

1 product

Oceanstor 9000 Firmware

Oracle

1 product

Global Lifecycle Management Opatch

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.0.0 to 2.7.9.7
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.5
Fasterxml Jackson Databind	From 2.9.0 to 2.9.10.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Api Services	All versions
Netapp Oncommand Workflow Automation	All versions
Netapp Service Level Manager	All versions
Netapp Steelstore Cloud Integrated Storage	All versions

Configuration D

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Huawei Oceanstor 9000 Firmware	Version v300r006c20
Huawei Oceanstor 9000 Firmware	Version v300r006c20spc100
Huawei Oceanstor 9000 Firmware	Version v300r006c20spc200
Huawei Oceanstor 9000 Firmware	Version v300r006c20spc300

Running on/with	Platform Versions
Huawei Oceanstor 9000	All versions

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Global Lifecycle Management Opatch	Before 11.2.0.3.23
Oracle Global Lifecycle Management Opatch	From 12.2.0.1.0 to 12.2.0.1.19
Oracle Global Lifecycle Management Opatch	From 13.9.4.0.0 to 13.9.4.2.1

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (88)

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en

Source: cve@mitre.org

Third Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2620

Source: cve@mitre.org

Third Party Advisory

https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da%40%3Cnotifications.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71%40%3Cnotifications.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3%40%3Ccommits.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882%40%3Cissues.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5%40%3Cissues.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220%40%3Cdev.kafka.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485%40%3Cissues.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1%40%3Cjira.kafka.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7%40%3Cdev.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1%40%3Cnotifications.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89%40%3Cissues.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e%40%3Ccommits.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23%40%3Ccommits.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c%40%3Cissues.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21%40%3Ccommits.zookeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a%40%3Cdev.ranger.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20200327-0002/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: cve@mitre.org

Third Party Advisory

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en