CVE-2020-14061

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.5

Description: The issue is related to the deserialization mechanism in the Jackson-databind library. It can be exploited by a remote attacker to execute arbitrary code. The vulnerability is associated with the interaction between serialization gadgets and typing, particularly with certain Oracle JMS connection factories, including oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory.

Recommendations: For FasterXML jackson-databind versions 2.x before 2.9.10.5, update to version 2.9.10.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the affected Oracle JMS connection factories until a patch is applied.