CVE-2020-10650
HIGH EXPLOITEDjackson-databind <2.9.10.4 - Open Redirect
Title source: llmDescription
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
Scores
CVSS v3
8.1
EPSS
0.0985
EPSS Percentile
92.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Intel
VulnCheck KEV
2025-06-23
Classification
CWE
CWE-502
Status
published
Affected Products (11)
debian/debian_linux
netapp/active_iq_unified_manager
netapp/active_iq_unified_manager
netapp/active_iq_unified_manager
fasterxml/jackson-databind
< 2.9.10.4
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
oracle/retail_merchandising_system
oracle/retail_sales_audit
com.fasterxml.jackson.core/jackson-databind
< 2.9.10.4Maven
Timeline
Published
Dec 26, 2022
Tracked Since
Feb 18, 2026