CVE-2020-11113

Published Mar 31, 2020

Last updated 3 days ago

CVSS high 8.8

Overview

Description: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Source: cve@mitre.org
NVD status: Analyzed
Products: jackson-databind, debian_linux, steelstore_cloud_integrated_storage, agile_plm, autovue_for_agile_product_lifecycle_management, banking_digital_experience, banking_platform, communications_calendar_server, communications_contacts_server, communications_diameter_signaling_router, communications_element_manager, communications_evolved_communications_application_server, communications_instant_messaging_server, communications_network_charging_and_control, communications_session_report_manager, communications_session_route_manager, enterprise_manager_base_platform, financial_services_analytical_applications_infrastructure, financial_services_institutional_performance_analytics, financial_services_price_creation_and_discovery, financial_services_retail_customer_analytics, global_lifecycle_management_opatch, insurance_policy_administration_j2ee, jd_edwards_enterpriseone_orchestrator, jd_edwards_enterpriseone_tools, primavera_unifier, retail_merchandising_system, retail_sales_audit, retail_service_backbone, retail_xstore_point_of_service, webcenter_portal, weblogic_server

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-502
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "C2BF4BC7-EDDB-4187-B386-12413253D234",
            "versionEndExcluding": "2.9.10.4",
            "versionStartIncluding": "2.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "97994257-C9A4-4491-B362-E8B25B7187AB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "BBE7BF09-B89C-4590-821E-6C0587E096B5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*",
            "matchCriteriaId": "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "5343F8F8-E8B4-49E9-A304-9C8A608B8027",
            "versionEndIncluding": "2.9.0",
            "versionStartIncluding": "2.4.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "46059231-E7F6-4402-8119-1C7FE4ABEA96",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "D01A0BBC-DA0E-4AFE-83BF-4F3BA01653EC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "526E2FE5-263F-416F-8628-6CD40B865780",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "B51F78F4-8D7E-48C2-86D1-D53A6EB348A7",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "987811D5-DA5E-493D-8709-F9231A84E5F9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "0DB23B9A-571E-4B77-B432-23F3DC9B67D1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "2AB443D1-D8E0-4253-9E1C-B62AEBBE582A",
            "versionEndIncluding": "12.0.3",
            "versionStartIncluding": "12.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "ECC00750-1DBF-401F-886E-E0E65A277409",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "3E5416A1-EE58-415D-9645-B6A875EBAED2",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "11B0C37E-D7C7-45F2-A8D8-5A3B1B191430",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "7582B307-3899-4BBB-B868-BC912A4D0109",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "021014B2-DC51-481C-BCFE-5857EFBDEDDA",
            "versionEndIncluding": "8.1.0",
            "versionStartIncluding": "8.0.6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "37C8EE84-A840-4132-B331-C7D450B1FBBF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*",
            "matchCriteriaId": "1D8436A2-9CA3-4C91-B632-9B03368ABC1B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "A00142E6-EEB3-44BD-AB0D-0E5C5640557F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "4A01F8ED-64DA-43BC-9C02-488010BCD0F4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*",
            "matchCriteriaId": "75638A6A-88B2-4BC7-84EA-1CF5FC30D555",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "1FBF422E-3F67-4599-A7C1-0E2E4224553A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "A8200D5C-D3C7-4936-84A7-37864DEEC62B",
            "versionEndExcluding": "12.2.0.1.20",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2.25:*:*:*:*:*:*:*",
            "matchCriteriaId": "72F28CE3-F835-4458-8D70-CBE9FC2F7E7A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0.15:*:*:*:*:*:*:*",
            "matchCriteriaId": "9F058FDA-04BC-4F32-830D-206983770692",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "6E46AE88-E9F8-41CB-B15F-12F5127A1E8D",
            "versionEndExcluding": "9.2.4.2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "A3D635AE-5E4A-47FB-9FCA-D82D52A61367",
            "versionEndExcluding": "9.2.4.2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "08FA59A8-6A62-4B33-8952-D6E658F8DAC9",
            "versionEndIncluding": "17.12",
            "versionStartIncluding": "17.7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "D55A54FD-7DD1-49CD-BE81-0BE73990943C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "82EB08C0-2D46-4635-88DF-E54F6452D3A3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
            "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*",
            "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "792DF04A-2D1B-40B5-B960-3E7152732EB8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "7DA6E92C-AC3B-40CF-96AE-22CD8769886F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "378A6656-252B-4929-83EA-BC107FDFD357",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "363395FA-C296-4B2B-9D6F-BCB8DBE6FACE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "F62A2144-5EF8-4319-B8C2-D7975F51E5FA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "11DA6839-849D-4CEF-85F3-38FE75E07183",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "BCE78490-A4BE-40BD-8C72-0A4526BBD4A4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "27C26705-6D1F-4D5E-B64D-B479108154FF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

Related CVEs

References