CVE-2020-10650

HIGH WAF: Medium

CVSS 8.1 Published: 2022-12-26

CWE-502 CWE-502

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

WAF Coverage Analysis

Insecure Deserialization Medium WAF Coverage

OWASP: A08:2021 Software and Data Integrity Failures

944xxx - Java Attack

Insecure Deserialization Medium WAF Coverage

OWASP: A08:2021 Software and Data Integrity Failures

944xxx - Java Attack

Affected Software

Vendor	Product	Version
debian	debian_linux	10.0
netapp	active_iq_unified_manager	-
netapp	active_iq_unified_manager	-
netapp	active_iq_unified_manager	-
fasterxml	jackson-databind	up to 2.9.10.4
fasterxml	jackson-databind	2.10.0
fasterxml	jackson-databind	2.10.0
fasterxml	jackson-databind	2.10.0
oracle	retail_merchandising_system	15.0
oracle	retail_sales_audit	14.1

References

github.com (Patch, Third Party Advisory)
github.com (Patch, Third Party Advisory)
github.com (Third Party Advisory)
lists.debian.org (Third Party Advisory)
medium.com (Exploit, Third Party Advisory)
security.netapp.com (Third Party Advisory)
www.oracle.com (Patch, Third Party Advisory)
www.oracle.com (Patch, Third Party Advisory)

Back to CVE Database