CVE-2020-10650

Name of the Vulnerable Software and Affected Versions jackson-databind versions through 2.9.10.4

Description A deserialization flaw was discovered in the jackson-databind library. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core, specifically through the classes org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. This issue is related to the restoration of untrusted data in memory, which may impact the confidentiality, integrity, and availability of protected information.

Recommendations For jackson-databind versions through 2.9.10.4, update to a version newer than 2.9.10.4 to resolve the issue. As a temporary workaround, consider restricting access to the ignite-jta and quartz-core components to minimize the risk of exploitation. Additionally, avoid using the vulnerable classes org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider until the issue is resolved.