Vulnerability-Lookup

BDU:2021-00714

Vulnerability from fstec - Published: 31.01.2020

Title

Уязвимость компонента org.aoju.bus.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Description

Уязвимость компонента org.aoju.bus.proxy.provider.remoting.RmiProvider библиотеки Jackson-databind проекта FasterXML связана с восстановлением в памяти недостоверных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor

Oracle Corp., ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения, Red Hat Inc., FasterXML, LLC, АО «НТЦ ИТ РОСА», АО «Концерн ВНИИНС»

Software Name

Primavera Unifier, WebLogic Server, Oracle Retail Merchandising System, Astra Linux Common Edition (запись в едином реестре российских программ №4433), Debian GNU/Linux, Retail Xstore Point of Service, OpenShift Application Runtimes, Enterprise Manager Base Platform, Financial Services Price Creation and Discovery, Oracle Agile PLM, Oracle Retail Service Backbone, CodeReady Studio, Financial Services Analytical Applications Infrastructure, Oracle Banking Platform, Communications Instant Messaging Server, Jackson-databind, Oracle Communications Contacts Server, Oracle Communications Evolved Communications Application Server, Communications Network Charging and Control, Oracle Retail Sales Audit, Oracle Global Lifecycle Management OPatch, Communications Diameter Signaling Router, Oracle Communications Element Manager, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Financial Services Institutional Performance Analytics, Financial Services Retail Customer Analytics, Insurance Policy Administration J2EE, JD Edwards EnterpriseOne Orchestrator, JD Edwards EnterpriseOne Tools, РОСА ХРОМ (запись в едином реестре российских программ №1607), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 12.2.1.3.0 (WebLogic Server), 15.0 (Oracle Retail Merchandising System), 2.12 «Орёл» (Astra Linux Common Edition), 8 (Debian GNU/Linux), 18.8 (Primavera Unifier), 15.0 (Retail Xstore Point of Service), 16.0 (Retail Xstore Point of Service), 17.0 (Retail Xstore Point of Service), 18.0 (Retail Xstore Point of Service), 19.0.0 (Retail Xstore Point of Service), - (OpenShift Application Runtimes), 12.2.1.4.0 (WebLogic Server), 13.3.0.0 (Enterprise Manager Base Platform), 19.12 (Primavera Unifier), от 17.7 до 17.12 включительно (Primavera Unifier), 8.0.7 (Financial Services Price Creation and Discovery), 9.3.6 (Oracle Agile PLM), 15.0 (Oracle Retail Service Backbone), 16.0 (Oracle Retail Service Backbone), 13.4.0.0 (Enterprise Manager Base Platform), 12 (CodeReady Studio), от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure), от 2.4.0 до 2.9.0 включительно (Oracle Banking Platform), 10.0.1.4.0 (Communications Instant Messaging Server), от 2.0 до 2.9.10.4 (Jackson-databind), 8.0.0.4.0 (Oracle Communications Contacts Server), 7.1 (Oracle Communications Evolved Communications Application Server), 6.0.1 (Communications Network Charging and Control), от 12.0.0 до 12.0.3 включительно (Communications Network Charging and Control), 14.1 (Oracle Retail Sales Audit), 14.1 (Oracle Retail Service Backbone), до 12.2.0.1.20 включительно (Oracle Global Lifecycle Management OPatch), от 8.0.0 до 8.2.2 включительно (Communications Diameter Signaling Router), от 8.2.0 до 8.2.2 включительно (Oracle Communications Element Manager), от 8.2.0 до 8.2.2 включительно (Oracle Communications Session Report Manager), от 8.2.0 до 8.2.2 включительно (Oracle Communications Session Route Manager), 8.0.6 (Financial Services Institutional Performance Analytics), 8.7.0 (Financial Services Institutional Performance Analytics), 8.1.0 (Financial Services Institutional Performance Analytics), 8.0.6 (Financial Services Price Creation and Discovery), 8.0.6 (Financial Services Retail Customer Analytics), 11.0.2.25 (Insurance Policy Administration J2EE), 11.1.0.15 (Insurance Policy Administration J2EE), до 9.2.4.2 включительно (JD Edwards EnterpriseOne Orchestrator), до 9.2.4.2 включительно (JD Edwards EnterpriseOne Tools), 12.4 (РОСА ХРОМ), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций производителя: Для Jackson-databind: https://github.com/FasterXML/jackson-databind/issues/2660 Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html Для Debian GNU/Linux: https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2020-10673 Для Astra Linux: Обновление программного обеспечения (пакета jackson-databind) до 2.8.6-1+deb9u8 или более поздней версии Для ОС ОН «Стрелец»: Обновление программного обеспечения jackson-databind до версии 2.8.6-1+deb9u10 Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-2629

Reference

https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://github.com/FasterXML/jackson-databind/issues/2660 https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://access.redhat.com/security/cve/cve-2020-10673 https://nvd.nist.gov/vuln/detail/CVE-2020-10673 https://security-tracker.debian.org/tracker/CVE-2020-10673 https://github.com/nomi-sec/PoC-in-GitHub/tree/master/2020 https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023 https://abf.rosa.ru/advisories/ROSA-SA-2025-2629

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Oracle Corp., \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Red Hat Inc., FasterXML, LLC, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 12.2.1.3.0 (WebLogic Server), 15.0 (Oracle Retail Merchandising System), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 8 (Debian GNU/Linux), 18.8 (Primavera Unifier), 15.0 (Retail Xstore Point of Service), 16.0 (Retail Xstore Point of Service), 17.0 (Retail Xstore Point of Service), 18.0 (Retail Xstore Point of Service), 19.0.0 (Retail Xstore Point of Service), - (OpenShift Application Runtimes), 12.2.1.4.0 (WebLogic Server), 13.3.0.0 (Enterprise Manager Base Platform), 19.12 (Primavera Unifier), \u043e\u0442 17.7 \u0434\u043e 17.12 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Primavera Unifier), 8.0.7 (Financial Services Price Creation and Discovery), 9.3.6 (Oracle Agile PLM), 15.0 (Oracle Retail Service Backbone), 16.0 (Oracle Retail Service Backbone), 13.4.0.0 (Enterprise Manager Base Platform), 12 (CodeReady Studio), \u043e\u0442 8.0.6 \u0434\u043e 8.1.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Financial Services Analytical Applications Infrastructure), \u043e\u0442 2.4.0 \u0434\u043e 2.9.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Banking Platform), 10.0.1.4.0 (Communications Instant Messaging Server), \u043e\u0442 2.0 \u0434\u043e 2.9.10.4 (Jackson-databind), 8.0.0.4.0 (Oracle Communications Contacts Server), 7.1 (Oracle Communications Evolved Communications Application Server), 6.0.1 (Communications Network Charging and Control), \u043e\u0442 12.0.0 \u0434\u043e 12.0.3 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Communications Network Charging and Control), 14.1 (Oracle Retail Sales Audit), 14.1 (Oracle Retail Service Backbone), \u0434\u043e 12.2.0.1.20 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Global Lifecycle Management OPatch), \u043e\u0442 8.0.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Communications Diameter Signaling Router), \u043e\u0442 8.2.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Communications Element Manager), \u043e\u0442 8.2.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Communications Session Report Manager), \u043e\u0442 8.2.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Communications Session Route Manager), 8.0.6 (Financial Services Institutional Performance Analytics), 8.7.0 (Financial Services Institutional Performance Analytics), 8.1.0 (Financial Services Institutional Performance Analytics), 8.0.6 (Financial Services Price Creation and Discovery), 8.0.6 (Financial Services Retail Customer Analytics), 11.0.2.25 (Insurance Policy Administration J2EE), 11.1.0.15 (Insurance Policy Administration J2EE), \u0434\u043e 9.2.4.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (JD Edwards EnterpriseOne Orchestrator), \u0434\u043e 9.2.4.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (JD Edwards EnterpriseOne Tools), 12.4 (\u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\n\u0414\u043b\u044f Jackson-databind:\nhttps://github.com/FasterXML/jackson-databind/issues/2660\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpujan2021.html \nhttps://www.oracle.com/security-alerts/cpujul2020.html \nhttps://www.oracle.com/security-alerts/cpuoct2020.html\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://lists.debian.org/debian-lts-announce/2020/03/msg00027.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2020-10673\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 jackson-databind) \u0434\u043e 2.8.6-1+deb9u8 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f jackson-databind \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.8.6-1+deb9u10\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c: https://abf.rosa.ru/advisories/ROSA-SA-2025-2629",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "31.01.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.03.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "16.02.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-00714",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-10673",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Primavera Unifier, WebLogic Server, Oracle Retail Merchandising System, Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Debian GNU/Linux, Retail Xstore Point of Service, OpenShift Application Runtimes, Enterprise Manager Base Platform, Financial Services Price Creation and Discovery, Oracle Agile PLM, Oracle Retail Service Backbone, CodeReady Studio, Financial Services Analytical Applications Infrastructure, Oracle Banking Platform, Communications Instant Messaging Server, Jackson-databind, Oracle Communications Contacts Server, Oracle Communications Evolved Communications Application Server, Communications Network Charging and Control, Oracle Retail Sales Audit, Oracle Global Lifecycle Management OPatch, Communications Diameter Signaling Router, Oracle Communications Element Manager, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Financial Services Institutional Performance Analytics, Financial Services Retail Customer Analytics, Insurance Policy Administration J2EE, JD Edwards EnterpriseOne Orchestrator, JD Edwards EnterpriseOne Tools, \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c 12.4  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 org.aoju.bus.proxy.provider.remoting.RmiProvider \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Jackson-databind \u043f\u0440\u043e\u0435\u043a\u0442\u0430 FasterXML, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c, \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 org.aoju.bus.proxy.provider.remoting.RmiProvider \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Jackson-databind \u043f\u0440\u043e\u0435\u043a\u0442\u0430 FasterXML \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c, \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.oracle.com/security-alerts/cpujan2021.html \nhttps://www.oracle.com/security-alerts/cpujul2020.html \nhttps://www.oracle.com/security-alerts/cpuoct2020.html\nhttps://github.com/FasterXML/jackson-databind/issues/2660\nhttps://lists.debian.org/debian-lts-announce/2020/03/msg00027.html\nhttps://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\nhttps://access.redhat.com/security/cve/cve-2020-10673\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10673\nhttps://security-tracker.debian.org/tracker/CVE-2020-10673\nhttps://github.com/nomi-sec/PoC-in-GitHub/tree/master/2020\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-2629",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,8)"
}

CVE-2020-10673 (GCVE-0-2020-10673)

Vulnerability from cvelistv5 – Published: 2020-03-18 21:17 – Updated: 2025-08-27 20:32

Summary

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	https://medium.com/%40cowtowncoder/on-jackson-cve…	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2020040…	x_refsource_CONFIRM
	https://github.com/FasterXML/jackson-databind/iss…	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "debian_linux",
            "vendor": "debian",
            "versions": [
              {
                "status": "affected",
                "version": "8.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "steelstore_cloud_integrated_storage",
            "vendor": "netapp",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "agile_plm",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "9.3.6"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "autovue_for_agile_product_lifecycle_management",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "21.0.2"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "banking_digital_experience",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "18.3",
                "status": "affected",
                "version": "18.1",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "19.2",
                "status": "affected",
                "version": "19.1",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "20.1"
              },
              {
                "lessThanOrEqual": "2.9.0",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "banking_digital_experience",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "18.3",
                "status": "affected",
                "version": "18.1",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "19.2",
                "status": "affected",
                "version": "19.1",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "20.1"
              },
              {
                "lessThanOrEqual": "2.9.0",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "banking_digital_experience",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "18.3",
                "status": "affected",
                "version": "18.1",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "19.2",
                "status": "affected",
                "version": "19.1",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "20.1"
              },
              {
                "lessThanOrEqual": "2.9.0",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "banking_digital_experience",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "18.3",
                "status": "affected",
                "version": "18.1",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "19.2",
                "status": "affected",
                "version": "19.1",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "20.1"
              },
              {
                "lessThanOrEqual": "2.9.0",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_calendar_server",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.0.0.5.0",
                "status": "affected",
                "version": "8.0.0.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_diameter_signaling_router",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.2.2",
                "status": "affected",
                "version": "8.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_element_manager",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.2.2",
                "status": "affected",
                "version": "8.2.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_evolved_communications_application_server",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "7.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_instant_messaging_server",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "10.0.1.4.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_network_charging_and_control",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "6.0.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_network_charging_and_control",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "12.0.3",
                "status": "affected",
                "version": "12.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "communications_session_route_manager",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.2.2",
                "status": "affected",
                "version": "8.2.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "enterprise_manager_base_platform",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "13.4.0.0",
                "status": "affected",
                "version": "13.3.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_analytical_applications_infrastructure",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.1.0",
                "status": "affected",
                "version": "8.0.6",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_institutional_performance_analytics",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "8.0.6"
              },
              {
                "status": "affected",
                "version": "8.0.7"
              },
              {
                "status": "affected",
                "version": "8.1.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_institutional_performance_analytics",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "8.0.6"
              },
              {
                "status": "affected",
                "version": "8.0.7"
              },
              {
                "status": "affected",
                "version": "8.1.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_institutional_performance_analytics",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "8.0.6"
              },
              {
                "status": "affected",
                "version": "8.0.7"
              },
              {
                "status": "affected",
                "version": "8.1.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_price_creation_and_discovery",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "8.0.7",
                "status": "affected",
                "version": "8.0.6",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "financial_services_retail_customer_analytics",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "8.0.6"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "global_lifecycle_management_opatch",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "12.2.0.1.20",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "insurance_policy_administration_j2ee",
            "vendor": "oracle",
            "versions": [
              {
                "lessThan": "11.1.0.15",
                "status": "affected",
                "version": "11.0.2.25",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jd_edwards_enterpriseone_orchestrator",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "9.2.4.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "primavera_unifier",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "16.1"
              },
              {
                "status": "affected",
                "version": "16.2"
              },
              {
                "lessThanOrEqual": "17.12",
                "status": "affected",
                "version": "17.7",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "18.8"
              },
              {
                "status": "affected",
                "version": "19.12"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "primavera_unifier",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "16.1"
              },
              {
                "status": "affected",
                "version": "16.2"
              },
              {
                "lessThanOrEqual": "17.12",
                "status": "affected",
                "version": "17.7",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "18.8"
              },
              {
                "status": "affected",
                "version": "19.12"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "primavera_unifier",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "16.1"
              },
              {
                "status": "affected",
                "version": "16.2"
              },
              {
                "lessThanOrEqual": "17.12",
                "status": "affected",
                "version": "17.7",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "18.8"
              },
              {
                "status": "affected",
                "version": "19.12"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "primavera_unifier",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "16.1"
              },
              {
                "status": "affected",
                "version": "16.2"
              },
              {
                "lessThanOrEqual": "17.12",
                "status": "affected",
                "version": "17.7",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "18.8"
              },
              {
                "status": "affected",
                "version": "19.12"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "primavera_unifier",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "16.1"
              },
              {
                "status": "affected",
                "version": "16.2"
              },
              {
                "lessThanOrEqual": "17.12",
                "status": "affected",
                "version": "17.7",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "18.8"
              },
              {
                "status": "affected",
                "version": "19.12"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_merchandising_system",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "15.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_sales_audit",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "14.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_service_backbone",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "14.1"
              },
              {
                "status": "affected",
                "version": "15.0"
              },
              {
                "status": "affected",
                "version": "16.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_service_backbone",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "14.1"
              },
              {
                "status": "affected",
                "version": "15.0"
              },
              {
                "status": "affected",
                "version": "16.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_service_backbone",
            "vendor": "oracle",
            "versions": [
              {
                "status": "affected",
                "version": "14.1"
              },
              {
                "status": "affected",
                "version": "15.0"
              },
              {
                "status": "affected",
                "version": "16.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "retail_xstore_point_of_service",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "19.0",
                "status": "affected",
                "version": "15.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "weblogic_server",
            "vendor": "oracle",
            "versions": [
              {
                "lessThanOrEqual": "12.2.1.4.0",
                "status": "affected",
                "version": "12.2.1.3.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:fasterxml:jackson-databind:2.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jackson-databind",
            "vendor": "fasterxml",
            "versions": [
              {
                "lessThan": "2.9.10.4",
                "status": "affected",
                "version": "2.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-10673",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-25T04:00:47.873963Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T20:32:51.171Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:10.672Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/2660"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-20T10:38:39.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/2660"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-10673",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
            },
            {
              "name": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
              "refsource": "MISC",
              "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200403-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/2660",
              "refsource": "MISC",
              "url": "https://github.com/FasterXML/jackson-databind/issues/2660"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-10673",
    "datePublished": "2020-03-18T21:17:26.000Z",
    "dateReserved": "2020-03-18T00:00:00.000Z",
    "dateUpdated": "2025-08-27T20:32:51.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2021-00714

CVE-2020-10673 (GCVE-0-2020-10673)

Tags

Sightings

Nomenclature