CVE-2020-14061

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

References

Link	Tags
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://github.com/FasterXML/jackson-databind/issues/2698	patch third party advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html	mailing list third party advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	third party advisory
https://security.netapp.com/advisory/ntap-20200702-0003/	third party advisory
https://www.oracle.com/security-alerts/cpujan2021.html	third party advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	third party advisory
https://www.oracle.com//security-alerts/cpujul2021.html	third party advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-14061?: CVE-2020-14061 has been scored as a high severity vulnerability.
How to fix CVE-2020-14061?: To fix CVE-2020-14061, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-14061 being actively exploited in the wild?: It is possible that CVE-2020-14061 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~7% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions