PT-2020-5473 · Apache+3 · Activemq-Jms+6

Published

2020-01-31

Updated

2025-01-28

CVE-2020-11111

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.4

Description The issue is related to the org.apache.activemq component of the Jackson-databind library, which mishandles the interaction between serialization gadgets and typing. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is related to the activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms components.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.activemq component to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2021-1792

BDU:2021-00763

CVE-2020-11111

DLA-2179-1

GHSA-V3XW-C963-F5HC

MGASA-2021-0153

RHSA-2020:1523

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Activemq-Core

Activemq-Jms

Activemq-Pool

Activemq-Pool-Jms

Jackson-Databind

PT-2020-5473 · Apache+3 · Activemq-Jms+6

CVE-2020-11111

Weakness Enumeration

Related Identifiers

Affected Products

References · 106