CVE-2020-10650 — HIGH (8.1)

Q: How severe is CVE-2020-10650?

CVE-2020-10650 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-10650?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Netapp Active Iq Unified Manager, Fasterxml Jackson-Databind, Oracle Retail Merchandising System, Oracle Retail Sales Audit.

Vulnerability Description

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	10.0
Netapp	Active Iq Unified Manager	-
Fasterxml	Jackson-Databind	< 2.9.10.4
Oracle	Retail Merchandising System	15.0
Oracle	Retail Sales Audit	14.1

Related Weaknesses (CWE)

CWE-502

References

https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dPatchThird Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2658PatchThird Party Advisory
https://github.com/advisories/GHSA-rpr3-cw39-3pxhThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.htmlThird Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-nExploitThird Party Advisory
https://security.netapp.com/advisory/ntap-20230818-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2022.htmlPatchThird Party Advisory
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dPatchThird Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2658PatchThird Party Advisory
https://github.com/advisories/GHSA-rpr3-cw39-3pxhThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.htmlThird Party Advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-nExploitThird Party Advisory
https://security.netapp.com/advisory/ntap-20230818-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-10650?

CVE-2020-10650 is a vulnerability with a CVSS score of 8.1 (HIGH). A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta....

How severe is CVE-2020-10650?

CVE-2020-10650 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-10650?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Netapp Active Iq Unified Manager, Fasterxml Jackson-Databind, Oracle Retail Merchandising System, Oracle Retail Sales Audit.