CVE-2020-10650

HIGH EPSS 87.0%
Published Dec 26, 20223y ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Dec 26, 2022 3y ago
Last Modified Jun 17, 2026 2w ago

Description

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
87.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 10

VendorProductVersionRange
debiandebian_linux10.0any
netappactive_iq_unified_manager*any
netappactive_iq_unified_manager*any
netappactive_iq_unified_manager*any
fasterxmljackson-databind* <2.9.10.4
fasterxmljackson-databind2.10.0any
fasterxmljackson-databind2.10.0any
fasterxmljackson-databind2.10.0any
oracleretail_merchandising_system15.0any
oracleretail_sales_audit14.1any

References 8

  • github.com https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
    PatchThird Party Advisory
  • github.com https://github.com/FasterXML/jackson-databind/issues/2658
    PatchThird Party Advisory
  • github.com https://github.com/advisories/GHSA-rpr3-cw39-3pxh
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
    Third Party Advisory
  • medium.com https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
    ExploitThird Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20230818-0007/
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2022.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
    PatchThird Party Advisory
  • github.com https://github.com/FasterXML/jackson-databind/issues/2658
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2021.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2022.html
    PatchThird Party Advisory