CVE-2020-10650
HIGH EPSS 87.0%
Published Dec 26, 20223y ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
Published Dec 26, 2022 3y ago
Last Modified Jun 17, 2026 2w ago
Description
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
87.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 10
| Vendor | Product | Version | Range |
|---|---|---|---|
| debian | debian_linux | 10.0 | any |
| netapp | active_iq_unified_manager | * | any |
| netapp | active_iq_unified_manager | * | any |
| netapp | active_iq_unified_manager | * | any |
| fasterxml | jackson-databind | * | <2.9.10.4 |
| fasterxml | jackson-databind | 2.10.0 | any |
| fasterxml | jackson-databind | 2.10.0 | any |
| fasterxml | jackson-databind | 2.10.0 | any |
| oracle | retail_merchandising_system | 15.0 | any |
| oracle | retail_sales_audit | 14.1 | any |
References 8
- github.com https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
- github.com https://github.com/FasterXML/jackson-databind/issues/2658
- github.com https://github.com/advisories/GHSA-rpr3-cw39-3pxh
- lists.debian.org https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
- medium.com https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- security.netapp.com https://security.netapp.com/advisory/ntap-20230818-0007/
- oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2022.html
Remediation
- github.com https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
- github.com https://github.com/FasterXML/jackson-databind/issues/2658
- oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2022.html