CVE-2020-25649

HIGH

Fasterxml Jackson-databind < 2.6.7.4 - XXE

Title source: rule

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-25649-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-25649-jackson-databind-vulnerable

View Code ZIP pw:eip

References (71)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1887664

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2589

[Mailing List] https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210108-0007/

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

... and 51 more

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-611

Status published

Products (50)

apache/iotdb < 0.12.0

com.fasterxml.jackson.core/jackson-databind 2.6.0 - 2.6.7.4Maven

fasterxml/jackson-databind 2.6.0 - 2.6.7.4

fedoraproject/fedora 32

netapp/oncommand_api_services

netapp/oncommand_workflow_automation

netapp/service_level_manager

oracle/agile_plm 9.3.6

oracle/agile_product_lifecycle_management_integration_pack 3.6

oracle/banking_apis 19.1

... and 40 more

Published Dec 03, 2020

Tracked Since Feb 18, 2026