CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/FasterXML/jackson-databind/issues/2999	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html	Mailing List Third Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20210129-0007/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:autovue:21.0.2:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.2:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.3:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.5:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:::::::*
	cpe:2.3:a:oracle:banking_treasury_management:14.4:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:blockchain_platform::::::::
	cpe:2.3:a:oracle:commerce_platform::::::::
	cpe:2.3:a:oracle:commerce_platform:11.2.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:::::::*
	cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_route::::::::
	cpe:2.3:a:oracle:communications_element_manager::::::::
	cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::*
	cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager::::::::
	cpe:2.3:a:oracle:communications_session_route_manager::::::::
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration::::::::
	cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette::::::::
	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator::::::::
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway:20.12.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation::::::::
	cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

02 Sep 2022, 14:50

Type	Values Removed	Values Added
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory
CPE	cpe:2.3:a:oracle:banking_virtual_account_managemen:14.3:::::::* cpe:2.3:a:oracle:banking_virtual_account_managemen:14.2:::::::* cpe:2.3:a:oracle:banking_virtual_account_managemen:14.5:::::::*	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::* cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*

25 Jul 2022, 18:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

28 Apr 2022, 18:34

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:blockchain_platform:::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

20 Apr 2022, 00:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

03 Mar 2022, 16:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_managemen:14.5:::::::* cpe:2.3:a:oracle:insurance_policy_administration:::::::: cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:::::::* cpe:2.3:a:oracle:communications_session_route_manager:::::::: cpe:2.3:a:oracle:communications_diameter_signaling_route:::::::: cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:::::::: cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_managemen:14.2:::::::* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:::::::* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:::::::: cpe:2.3:a:oracle:retail_service_backbone:16.0.3.0:::::::* cpe:2.3:a:oracle:autovue:21.0.2:::::::* cpe:2.3:a:oracle:banking_extensibility_workbench:14.3:::::::* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:::::::* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::* cpe:2.3:a:oracle:banking_extensibility_workbench:14.5:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:::::::* cpe:2.3:a:oracle:banking_treasury_management:14.4:::::::* cpe:2.3:a:oracle:primavera_unifier:::::::: cpe:2.3:a:oracle:primavera_unifier:20.12:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:::::::* cpe:2.3:a:oracle:banking_extensibility_workbench:14.2:::::::* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:::::::: cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::* cpe:2.3:a:oracle:commerce_platform:11.2.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::* cpe:2.3:a:oracle:communications_element_manager:::::::: cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::* cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::* cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:::::::* cpe:2.3:a:oracle:communications_session_report_manager:::::::: cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:::::::* cpe:2.3:a:oracle:insurance_rules_palette:::::::: cpe:2.3:a:oracle:primavera_gateway:::::::: cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:::::::* cpe:2.3:a:oracle:commerce_platform:::::::: cpe:2.3:a:oracle:primavera_gateway:20.12.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_managemen:14.3:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:::::::* cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::* cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::* cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::* cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

17 Nov 2021, 20:19

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory

20 Oct 2021, 11:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

14 Jun 2021, 18:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

Information

Published : 2020-12-27 05:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-35728

Mitre link : CVE-2020-35728

CVE.ORG link : CVE-2020-35728

JSON object : View

Products Affected

oracle

communications_session_report_manager
goldengate_application_adapters
retail_service_backbone
primavera_unifier
webcenter_portal
insurance_rules_palette
communications_session_route_manager
banking_treasury_management
retail_xstore_point_of_service
communications_diameter_signaling_route
communications_billing_and_revenue_management
communications_unified_inventory_management
banking_virtual_account_management
agile_plm
banking_corporate_lending_process_management
banking_credit_facilities_process_management
communications_evolved_communications_application_server
application_testing_suite
communications_policy_management
primavera_gateway
retail_customer_management_and_segmentation_foundation
banking_supply_chain_finance
data_integrator
retail_merchandising_system
communications_convergent_charging_controller
blockchain_platform
communications_services_gatekeeper
commerce_platform
autovue
communications_element_manager
jd_edwards_enterpriseone_tools
jd_edwards_enterpriseone_orchestrator
communications_cloud_native_core_unified_data_repository
communications_network_charging_and_control
insurance_policy_administration
banking_extensibility_workbench
communications_cloud_native_core_policy

debian

debian_linux

netapp

service_level_manager

fasterxml

jackson-databind

CWE

CWE-502

Deserialization of Untrusted Data

8.1 /10