Vulnerability Description
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.6.0, < 2.6.7.4 |
| Netapp | Oncommand Api Services | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Service Level Manager | - |
| Fedoraproject | Fedora | 32 |
| Quarkus | Quarkus | <= 1.6.1 |
| Apache | Iotdb | < 0.12.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Agile Product Lifecycle Management Integration Pack | 3.6 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Treasury Management | 4.4 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Coherence | 12.2.1.4.0 |
| Oracle | Commerce Platform | >= 11.3.0, <= 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.4.0 |
| Oracle | Communications Convergent Charging Controller | 12.0.4.0.0 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Communications Instant Messaging Server | 10.0.1.5.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1887664Issue TrackingThird Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2589PatchThird Party Advisory
- https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aec
- https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b5728
- https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d
- https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738
- https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d845
- https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240ca
- https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d4
- https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2
- https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be8
- https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0
- https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654
- https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a864
- https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b151324
FAQ
What is CVE-2020-25649?
CVE-2020-25649 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from th...
How severe is CVE-2020-25649?
CVE-2020-25649 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-25649?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Netapp Oncommand Api Services, Netapp Oncommand Workflow Automation, Netapp Service Level Manager, Fedoraproject Fedora.