CVE-2020-36188
HIGH EPSS 95.3%
Published Jan 6, 20215y ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
Published Jan 6, 2021 5y ago
Last Modified Jun 17, 2026 2w ago
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
95.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 75
| Vendor | Product | Version | Range |
|---|---|---|---|
| fasterxml | jackson-databind | * | ≥2.0.0 – <2.6.7.5 |
| fasterxml | jackson-databind | * | ≥2.7.0 – <2.9.10.8 |
| netapp | cloud_backup | * | any |
| netapp | service_level_manager | * | any |
| debian | debian_linux | 9.0 | any |
| oracle | agile_plm | 9.3.6 | any |
| oracle | application_testing_suite | 13.3.0.1 | any |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 | any |
| oracle | banking_corporate_lending_process_management | 14.2 | any |
| oracle | banking_corporate_lending_process_management | 14.3 | any |
| oracle | banking_corporate_lending_process_management | 14.5 | any |
| oracle | banking_credit_facilities_process_management | 14.2 | any |
| oracle | banking_credit_facilities_process_management | 14.3 | any |
| oracle | banking_credit_facilities_process_management | 14.5 | any |
| oracle | banking_extensibility_workbench | 14.2 | any |
| oracle | banking_extensibility_workbench | 14.3 | any |
| oracle | banking_extensibility_workbench | 14.5 | any |
| oracle | banking_supply_chain_finance | 14.2 | any |
| oracle | banking_supply_chain_finance | 14.3 | any |
| oracle | banking_supply_chain_finance | 14.5 | any |
| oracle | banking_treasury_management | 4.4 | any |
| oracle | banking_virtual_account_management | 14.2.0 | any |
| oracle | banking_virtual_account_management | 14.3.0 | any |
| oracle | banking_virtual_account_management | 14.5.0 | any |
| oracle | blockchain_platform | * | ≤21.1.2 |
| oracle | commerce_platform | * | ≥11.3.0 – ≤11.3.2 |
| oracle | commerce_platform | 11.2.0 | any |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 | any |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 | any |
| oracle | communications_cloud_native_core_policy | 1.14.0 | any |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 | any |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 | any |
| oracle | communications_diameter_signaling_route | * | ≥8.0.0.0 – ≤8.5.0.0 |
| oracle | communications_element_manager | * | ≥8.2.0.0 – ≤8.2.4.0 |
| oracle | communications_evolved_communications_application_server | 7.1 | any |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 | any |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 | any |
| oracle | communications_offline_mediation_controller | 12.0.0.3 | any |
| oracle | communications_policy_management | 12.5.0 | any |
| oracle | communications_pricing_design_center | 12.0.0.4.0 | any |
| oracle | communications_services_gatekeeper | 7.0 | any |
| oracle | communications_session_report_manager | * | ≥8.0.0.0 – ≤8.2.2.1 |
| oracle | communications_session_route_manager | * | ≥8.2.0.0 – ≤8.2.2.1 |
| oracle | communications_unified_inventory_management | 7.4.1 | any |
| oracle | data_integrator | 12.2.1.4.0 | any |
| oracle | documaker | 12.6.0 | any |
| oracle | documaker | 12.6.3 | any |
| oracle | documaker | 12.6.4 | any |
| oracle | goldengate_application_adapters | 19.1.0.0.0 | any |
| oracle | insurance_policy_administration | * | ≥11.1.0 – ≤11.3.0 |
| oracle | insurance_policy_administration | 11.0.2 | any |
| oracle | insurance_rules_palette | * | ≥11.1.0 – ≤11.3.0 |
| oracle | insurance_rules_palette | 11.0.2 | any |
| oracle | jd_edwards_enterpriseone_orchestrator | * | <9.2.5.3 |
| oracle | jd_edwards_enterpriseone_tools | * | <9.2.5.3 |
| oracle | primavera_gateway | * | ≥17.12.0 – ≤17.12.11 |
| oracle | primavera_gateway | * | ≥18.8.0 – ≤18.8.11 |
| oracle | primavera_gateway | * | ≥19.12.0 – ≤19.12.10 |
| oracle | primavera_gateway | 20.12.0 | any |
| oracle | primavera_unifier | * | ≥17.7 – ≤17.12 |
| oracle | primavera_unifier | 17.2 | any |
| oracle | primavera_unifier | 18.8 | any |
| oracle | primavera_unifier | 19.12 | any |
| oracle | primavera_unifier | 20.12 | any |
| oracle | retail_customer_management_and_segmentation_foundation | * | ≥16.0 – ≤19.0 |
| oracle | retail_merchandising_system | 15.0.3 | any |
| oracle | retail_service_backbone | 14.1.3.2 | any |
| oracle | retail_service_backbone | 15.0.3.1 | any |
| oracle | retail_service_backbone | 16.0.3.0 | any |
| oracle | retail_xstore_point_of_service | 16.0.6 | any |
| oracle | retail_xstore_point_of_service | 17.0.4 | any |
| oracle | retail_xstore_point_of_service | 18.0.3 | any |
| oracle | retail_xstore_point_of_service | 19.0.2 | any |
| oracle | webcenter_portal | 12.2.1.3.0 | any |
| oracle | webcenter_portal | 12.2.1.4.0 | any |
References 10
- cowtowncoder.medium.com https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- github.com https://github.com/FasterXML/jackson-databind/issues/2996
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- security.netapp.com https://security.netapp.com/advisory/ntap-20210205-0005/
- oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
- oracle.com https://www.oracle.com/security-alerts/cpuApr2021.html
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
Remediation
- oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
- oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html