PT-2020-6701 · Fasterxml+4 · Fasterxml Jackson Databind+4

Published

2017-11-01

Updated

2025-06-09

CVE-2020-25649

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions FasterXML Jackson Databind (affected versions not specified)

Description A flaw in FasterXML Jackson Databind allows vulnerability to XML external entity (XXE) attacks due to improper entity expansion security. The highest threat from this issue is data integrity. This flaw is related to the DOMDeserializer component and its incorrect restriction of XML links to external objects, which can be exploited by a remote attacker to conduct XXE attacks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

ALT-PU-2017-2557

ALT-PU-2021-1907

BDU:2022-05602

CVE-2020-25649

DLA-2406-1

DLA-2638-1

GHSA-288C-CQ4H-88GQ

MGASA-2021-0153

OPENSUSE-SU-2022_1678-1

OPENSUSE-SU-2024:10868-1

RHSA-2020:4312

RHSA-2020:4401

RHSA-2020:5340

RHSA-2020:5341

RHSA-2020:5342

RHSA-2021:0381

ROSA-SA-2025-2629

SUSE-SU-2021:0243-1

SUSE-SU-2022:1678-1

SUSE-SU-2022_1678-1

Affected Products

Alt Linux

Astra Linux

Fasterxml Jackson Databind

Red Os

Suse

PT-2020-6701 · Fasterxml+4 · Fasterxml Jackson Databind+4

CVE-2020-25649

Weakness Enumeration

Related Identifiers

Affected Products

References · 221