9.8

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FasterxmlJackson-databind Version >= 2.0.0 < 2.7.9.7
FasterxmlJackson-databind Version >= 2.8.0 < 2.8.11.6
FasterxmlJackson-databind Version >= 2.9.0 < 2.9.10.4
NetappActive Iq Unified Manager SwPlatformlinux Version >= 7.3
NetappActive Iq Unified Manager SwPlatformwindows Version >= 7.3
NetappActive Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5
DebianDebian Linux Version8.0
OracleBanking Platform Version >= 2.4.0 <= 2.9.0
OracleCommunications Contacts Server Version8.0.0.4.0
OracleCommunications Network Charging And Control Version >= 12.0.0 <= 12.0.3
OracleGlobal Lifecycle Management Opatch Version < 12.2.0.1.20
OracleJd Edwards Enterpriseone Tools Version < 9.2.4.2
OraclePrimavera Unifier Version >= 17.7 <= 17.12
OraclePrimavera Unifier Version16.1
OraclePrimavera Unifier Version16.2
OraclePrimavera Unifier Version18.8
OraclePrimavera Unifier Version19.12
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 38.26% 0.972
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.