CVE-2020-8840

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.0.0 through 2.9.10.2 FasterXML jackson-databind 2.x before 2.6.7.4 FasterXML jackson-databind 2.7.x before 2.7.9.7 FasterXML jackson-databind 2.8.x before 2.8.11.5 FasterXML jackson-databind 2.9.x before 2.9.10.2

Description: The issue is related to the xbean-reflect/JNDI component of the Jackson-databind library, which lacks certain blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. This can allow a remote attacker to access confidential data, compromise data integrity, and cause a denial of service by exploiting the vulnerability, which is associated with the restoration of untrusted data structures in memory.

Recommendations: For FasterXML jackson-databind versions 2.0.0 through 2.9.10.2, update to a version that includes the necessary xbean-reflect/JNDI blocking. For FasterXML jackson-databind 2.x before 2.6.7.4, update to version 2.6.7.4 or later. For FasterXML jackson-databind 2.7.x before 2.7.9.7, update to version 2.7.9.7 or later. For FasterXML jackson-databind 2.8.x before 2.8.11.5, update to version 2.8.11.5 or later. For FasterXML jackson-databind 2.9.x before 2.9.10.2, update to version 2.9.10.2 or later. As a temporary workaround, consider disabling the org.apache.xbean.propertyeditor.JndiConverter class until a patch is available.