PT-2019-5300 · Net.Sf+8 · Ehcache+8

Published

2019-10-19

·

Updated

2025-01-28

·

CVE-2019-20330

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.0.0 through 2.9.10.1 FasterXML jackson-databind versions 2.6.0 through 2.6.7.3 FasterXML jackson-databind versions 2.7.0 through 2.7.9.6 FasterXML jackson-databind versions 2.8.0 through 2.8.11.4
Description The issue is related to the restoration of untrusted data in memory, which can allow a remote attacker to gain unauthorized access to protected information or cause a denial of service. The problem lacks certain net.sf.ehcache blocking, which is necessary for security.
Recommendations For FasterXML jackson-databind versions 2.0.0 through 2.9.10.1, update to version 2.9.10.2 or later. For FasterXML jackson-databind versions 2.6.0 through 2.6.7.3, update to version 2.6.7.4 or later. For FasterXML jackson-databind versions 2.7.0 through 2.7.9.6, update to version 2.7.9.7 or later. For FasterXML jackson-databind versions 2.8.0 through 2.8.11.4, update to version 2.8.11.5 or later. As a temporary workaround, consider disabling the use of net.sf.ehcache until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2020:1644
ALT-PU-2021-1792
BDU:2020-02242
CESA-2020_1644
CVE-2019-20330
DLA-2111-1
GHSA-GWW7-P5W4-WRFV
MGASA-2021-0153
OPENSUSE-SU-2024:10868-1
RHSA-2020:1644
RHSA-2020_1644
RLSA-2020:1644
ROSA-SA-2025-2629
USN-4813-1

Affected Products

Alt Linux
Almalinux
Centos
Jira
Red Hat
Rocky Linux
Ubuntu
Ehcache
Jackson-Databind