TROYANOSYVIRUS
Back to CVEs

CVE-2020-14061

HIGH
8.1

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVE Details

CVSS v3.1 Score8.1
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published6/14/2020
Last Modified8/27/2025
Sourcenvd
Honeypot Sightings0

Affected Products

debian:debian_linuxfasterxml:jackson-databindnetapp:active_iq_unified_managernetapp:steelstore_cloud_integrated_storageoracle:agile_plmoracle:autovue_for_agile_product_lifecycle_managementoracle:banking_digital_experienceoracle:communications_calendar_serveroracle:communications_contacts_serveroracle:communications_diameter_signaling_routeroracle:communications_element_manageroracle:communications_evolved_communications_application_serveroracle:communications_instant_messaging_serveroracle:communications_session_report_manageroracle:communications_session_route_manager

Weaknesses (CWE)

CWE-502CWE-502

References

https://github.com/FasterXML/jackson-databind/issues/2698(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html(cve@mitre.org)
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062(cve@mitre.org)
https://security.netapp.com/advisory/ntap-20200702-0003/(cve@mitre.org)
https://www.oracle.com//security-alerts/cpujul2021.html(cve@mitre.org)
https://www.oracle.com/security-alerts/cpuApr2021.html(cve@mitre.org)
https://www.oracle.com/security-alerts/cpujan2021.html(cve@mitre.org)
https://www.oracle.com/security-alerts/cpuoct2020.html(cve@mitre.org)
https://www.oracle.com/security-alerts/cpuoct2021.html(cve@mitre.org)
https://github.com/FasterXML/jackson-databind/issues/2698(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html(af854a3a-2127-422b-91ae-364da2661108)
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20200702-0003/(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuApr2021.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.