PT-2020-5475 · Fasterxml+6 · Jackson-Databind+6

Published

2020-01-31

Updated

2025-01-28

CVE-2020-10672

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.4

Description The issue is related to the interaction between serialization gadgets and typing, specifically with the org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory component. This can lead to the deserialization of untrusted data, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory component until a patch is available.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2020:1644

ALT-PU-2021-1792

BDU:2021-00768

CESA-2020_1644

CVE-2020-10672

DLA-2153-1

GHSA-95CM-88F5-F2C7

MGASA-2021-0153

RHSA-2020:1644

RHSA-2020:3461

RHSA-2020:3462

RHSA-2020:3463

RHSA-2020:3637

RHSA-2020:3638

RHSA-2020:3639

RHSA-2020_1644

RHSA-2025:1746

RLSA-2020:1644

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Ubuntu

Jackson-Databind

PT-2020-5475 · Fasterxml+6 · Jackson-Databind+6

CVE-2020-10672

Weakness Enumeration

Related Identifiers

Affected Products

References · 121