SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CVE

CVE-2020-10650

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:		CVSS V2 Severity:
CVSS Score : 8.1		CVSS Score :
Exploit Score: 2.2		Exploit Score:
Impact Score: 5.9		Impact Score:

CVSS V3 Metrics:		CVSS V2 Metrics:
Attack Vector: NETWORK		Access Vector:
Attack Complexity: HIGH		Access Complexity:
Privileges Required: NONE		Authentication:
User Interaction: NONE		Confidentiality:
Scope: UNCHANGED		Integrity:
Confidentiality: HIGH		Availability:
Integrity: HIGH
Availability: HIGH

Reference:

https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef

https://github.com/FasterXML/jackson-databind/issues/2658

https://github.com/advisories/GHSA-rpr3-cw39-3pxh

https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

https://security.netapp.com/advisory/ntap-20230818-0007/

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2022.html


30481



423868



256148



909



199106



282