CVE-2020-8840

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH

Description

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.5*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.7.9.7*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.10.3*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*n/an/a8.0
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*n/a11.2.0.3.23*
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*12.2.0.1.0 (including)12.2.0.1.19*
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*13.9.4.0.0 (including)13.9.4.2.1*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.0.0 (including)2.7.9.7*

External Links