CVE-2020-10650
CVSS V2 None
CVSS V3 None
Description
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
Overview
- CVE ID
- CVE-2020-10650
- Assigner
- cve@mitre.org
- Vulnerability Status
- Modified
- Published Version
- 2022-12-26T20:15:10
- Last Modified Date
- 2023-04-30T19:15:41
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 1 | OR | 2.9.10.4 | |
| cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:* | 1 | OR |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef | Patch Third Party Advisory |
| https://github.com/FasterXML/jackson-databind/issues/2658 | Patch Third Party Advisory |
| https://github.com/advisories/GHSA-rpr3-cw39-3pxh | Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html | |
| https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 | Exploit Third Party Advisory |
| https://www.oracle.com/security-alerts/cpujan2021.html | Patch Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuoct2022.html | Patch Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-10650 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10650 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-26 21:15:01 | Added to TrackCVE | |||
| 2022-12-27 00:18:15 | 2022-12-27T00:15:12 | CVE Modified Date | updated | |
| 2022-12-27 14:16:04 | 2022-12-27T13:48:11 | CVE Modified Date | updated | |
| 2022-12-27 14:16:04 | Received | Awaiting Analysis | Vulnerability Status | updated |
| 2023-01-03 18:17:03 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
| 2023-01-05 19:15:54 | 2023-01-05T19:13:09 | CVE Modified Date | updated | |
| 2023-01-05 19:15:54 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2023-01-05 19:15:55 | Weakness Enumeration | new | ||
| 2023-01-05 19:15:58 | CPE Information | updated | ||
| 2023-04-30 20:03:12 | 2023-04-30T19:15:41 | CVE Modified Date | updated | |
| 2023-04-30 20:03:12 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-04-30 20:03:14 | References | updated |