CVE-2020-35728
HIGH WAF: Medium
CVSS 8.1
Published: 2020-12-27
CWE-502 CWE-502
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-databind | 2.9.0 - 2.9.10.8 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | agile_plm | 9.3.6 |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | autovue | 21.0.2 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | banking_corporate_lending_process_management | 14.3 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| oracle | banking_credit_facilities_process_management | 14.2 |
References
- github.com (Patch, Third Party Advisory)
- lists.debian.org (Mailing List, Third Party Advisory)
- medium.com
- security.netapp.com (Third Party Advisory)
- www.oracle.com (Patch, Third Party Advisory)
- www.oracle.com (Third Party Advisory)
- www.oracle.com (Patch, Third Party Advisory)
- www.oracle.com (Patch, Third Party Advisory)
- www.oracle.com (Third Party Advisory)
- www.oracle.com (Patch, Third Party Advisory)