MidnightBSD

Advisories for fasterxml

CVE-2016-3720 HIGH

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 24
fasterxml jackson-dataformat-xml *
CVE-2016-7051 MEDIUM

XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N 3.9 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-918,

Products Affected

Vendor Product Version
fasterxml jackson-dataformat-xml 2.8.0
fasterxml jackson-dataformat-xml 2.8.1
fasterxml jackson-dataformat-xml 2.8.2
fasterxml jackson-dataformat-xml *
fasterxml jackson-dataformat-xml 2.8.3
CVE-2017-15095 HIGH

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
redhat satellite 6.4
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.3.1
redhat jboss_enterprise_application_platform 7.1.0
oracle primavera_unifier 16.1
oracle communications_billing_and_revenue_management 7.5
oracle communications_instant_messaging_server 10.0.1.2.0
fasterxml jackson-databind *
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
oracle financial_services_analytical_applications_infrastructure 8.0.6
redhat openshift_container_platform 3.11
redhat satellite_capsule 6.4
oracle database_server 18.1
netapp snapcenter -
oracle primavera_unifier 16.2
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.3
oracle webcenter_portal 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
netapp oncommand_shift -
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle financial_services_analytical_applications_infrastructure 8.0.2
redhat jboss_enterprise_application_platform 6.4.0
oracle identity_manager 11.1.2.3.0
oracle database_server 12.2.0.1
oracle banking_platform 2.6.1
oracle banking_platform 2.6.0
oracle global_lifecycle_management_opatchauto *
oracle banking_platform 2.5.0
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle banking_platform 2.6.2
redhat jboss_enterprise_application_platform 6.0.0
oracle identity_manager 12.2.1.3.0
oracle financial_services_analytical_applications_infrastructure 8.0.7
oracle communications_diameter_signaling_router *
netapp oncommand_performance_manager -
redhat openshift_container_platform 4.1
oracle clusterware 12.1.0.2.0
oracle primavera_unifier *
netapp oncommand_balance -
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
CVE-2017-17485 HIGH

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 6.0.0
netapp e-series_santricity_os_controller *
fasterxml jackson-databind *
redhat openshift_container_platform 3.11
netapp snapcenter -
debian debian_linux 9.0
redhat openshift_container_platform 4.1
debian debian_linux 8.0
netapp oncommand_shift -
redhat jboss_enterprise_application_platform 7.1
redhat jboss_enterprise_application_platform 6.4.0
netapp e-series_santricity_web_services_proxy -
CVE-2017-7525 HIGH

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.3.1
redhat jboss_enterprise_application_platform 7.0
oracle primavera_unifier 16.1
oracle communications_billing_and_revenue_management 7.5
oracle communications_instant_messaging_server 10.0.1.2.0
fasterxml jackson-databind *
redhat virtualization_host 4.0
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
redhat openshift_container_platform 3.11
oracle financial_services_analytical_applications_infrastructure 8.0.2.0.0
netapp snapcenter -
oracle primavera_unifier 16.2
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.3
oracle webcenter_portal 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
netapp oncommand_shift -
redhat jboss_enterprise_application_platform 7.1
redhat jboss_enterprise_application_platform 6.4.0
oracle banking_platform 2.6.1
oracle financial_services_analytical_applications_infrastructure 8.0.4.0.0
oracle communications_instant_messaging_server 10.0.1
oracle banking_platform 2.6.0
oracle global_lifecycle_management_opatchauto *
oracle banking_platform 2.5.0
oracle banking_platform 2.6.2
redhat jboss_enterprise_application_platform 6.0.0
oracle financial_services_analytical_applications_infrastructure 8.0.7.0.0
netapp oncommand_performance_manager -
oracle communications_communications_policy_management *
oracle financial_services_analytical_applications_infrastructure 8.0.6.0.0
redhat openshift_container_platform 4.1
oracle financial_services_analytical_applications_infrastructure 8.0.5.0.0
oracle financial_services_analytical_applications_infrastructure 8.0.3.0.0
redhat virtualization 4.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier *
netapp oncommand_balance -
oracle communications_billing_and_revenue_management 12.0
CVE-2018-1000873 MEDIUM

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
oracle database_server 12.2.0.1
fasterxml jackson-modules-java8 *
oracle database_server 18c
oracle clusterware 12.1.0.2.0
oracle nosql_database *
netapp active_iq_unified_manager *
oracle database_server 12.1.0.2
oracle global_lifecycle_management_opatch *
oracle database_server 19c
CVE-2018-11307 HIGH

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
redhat openshift_container_platform 4.1
oracle clusterware 12.1.0.2.0
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle communications_instant_messaging_server 10.0.1.2.0
fasterxml jackson-databind *
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
redhat openshift_container_platform 3.11
oracle global_lifecycle_management_opatch *
CVE-2018-12022 MEDIUM

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
redhat automation_manager 7.3.1
debian debian_linux 9.0
redhat jboss_enterprise_application_platform 7.2.0
fedoraproject fedora 29
redhat jboss_brms 6.4.10
oracle retail_merchandising_system 15.0
redhat decision_manager 7.3.1
fasterxml jackson-databind *
redhat openshift_container_platform 3.11
redhat single_sign-on 7.3
CVE-2018-12023 MEDIUM

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
redhat automation_manager 7.3.1
debian debian_linux 9.0
redhat jboss_enterprise_application_platform 7.2.0
fedoraproject fedora 29
redhat jboss_brms 6.4.10
oracle retail_merchandising_system 15.0
redhat decision_manager 7.3.1
fasterxml jackson-databind *
redhat openshift_container_platform 3.11
redhat single_sign-on 7.3
CVE-2018-14718 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
oracle jdeveloper 12.2.1.3.0
redhat openshift_container_platform 3.10
oracle enterprise_manager_for_virtualization 13.3.1
oracle primavera_unifier 16.1
oracle financial_services_analytical_applications_infrastructure 8.0.6
netapp steelstore_cloud_integrated_storage -
netapp snapcenter -
oracle primavera_unifier 18.8
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle webcenter_portal 12.2.1.3.0
oracle business_process_management_suite 12.2.1.3.0
oracle banking_platform 2.6.1
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle primavera_p6_enterprise_project_portfolio_management *
oracle jdeveloper 12.1.3.0.0
oracle business_process_management_suite 12.1.3.0.0
redhat openshift_container_platform *
oracle primavera_p6_enterprise_project_portfolio_management 16.1
oracle primavera_unifier *
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
oracle communications_instant_messaging_server 10.0.1.3.0
oracle primavera_p6_enterprise_project_portfolio_management 15.1
oracle communications_billing_and_revenue_management 7.5
oracle primavera_p6_enterprise_project_portfolio_management 15.2
fasterxml jackson-databind *
oracle primavera_p6_enterprise_project_portfolio_management 16.2
oracle primavera_unifier 16.2
oracle retail_workforce_management_software 1.60.9.0.0
debian debian_linux 9.0
oracle enterprise_manager_for_virtualization 13.2.3
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle siebel_ui_framework *
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle retail_merchandising_system 16.0
oracle siebel_engineering_-_installer_&_deployment *
oracle global_lifecycle_management_opatch *
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle nosql_database *
oracle banking_platform 2.6.2
oracle financial_services_analytical_applications_infrastructure 8.0.7
netapp oncommand_workflow_automation -
oracle nosql_database 19.3.12
CVE-2018-14719 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jdeveloper 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.3.1
oracle primavera_p6_enterprise_project_portfolio_management 15.1
oracle primavera_unifier 16.1
oracle communications_billing_and_revenue_management 7.5
oracle primavera_p6_enterprise_project_portfolio_management 15.2
fasterxml jackson-databind *
netapp steelstore_cloud_integrated_storage *
oracle financial_services_analytical_applications_infrastructure 8.0.6
oracle primavera_p6_enterprise_project_portfolio_management 16.2
oracle database_server 19c
netapp snapcenter -
oracle primavera_unifier 16.2
oracle retail_workforce_management_software 1.60.9.0.0
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.3
oracle webcenter_portal 12.2.1.3.0
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle retail_merchandising_system 16.0
oracle business_process_management_suite 12.2.1.3.0
oracle global_lifecycle_management_opatch *
oracle database_server 12.2.0.1
oracle banking_platform 2.6.1
oracle database_server 11.2.0.4
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle banking_platform 2.6.2
oracle database_server 12.1.0.2
oracle financial_services_analytical_applications_infrastructure 8.0.7
oracle primavera_p6_enterprise_project_portfolio_management *
oracle database_server 18c
oracle jdeveloper 12.1.3.0.0
oracle clusterware 12.1.0.2.0
oracle business_process_management_suite 12.1.3.0.0
redhat openshift_container_platform *
netapp oncommand_workflow_automation -
oracle primavera_p6_enterprise_project_portfolio_management 16.1
oracle primavera_unifier *
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
CVE-2018-14720 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-611,

Products Affected

Vendor Product Version
oracle jdeveloper 12.2.1.3.0
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.3.1
oracle primavera_unifier 16.1
oracle communications_billing_and_revenue_management 7.5
fasterxml jackson-databind *
oracle financial_services_analytical_applications_infrastructure 8.0.6
fasterxml jackson-databind 2.8.0
redhat openshift_container_platform 3.11
oracle primavera_unifier 16.2
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.3
redhat jboss_enterprise_application_platform 7.2.0
oracle webcenter_portal 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle retail_merchandising_system 16.0
fasterxml jackson-databind 2.7.0
oracle banking_platform 2.6.1
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle banking_platform 2.6.2
oracle financial_services_analytical_applications_infrastructure 8.0.7
oracle jdeveloper 12.1.3.0.0
oracle primavera_unifier *
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
CVE-2018-14721 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-918,

Products Affected

Vendor Product Version
oracle jdeveloper 12.2.1.3.0
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.3.1
oracle primavera_unifier 16.1
oracle communications_billing_and_revenue_management 7.5
fasterxml jackson-databind *
oracle financial_services_analytical_applications_infrastructure 8.0.6
fasterxml jackson-databind 2.8.0
redhat openshift_container_platform 3.11
oracle primavera_unifier 16.2
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.3
redhat jboss_enterprise_application_platform 7.2.0
oracle webcenter_portal 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle retail_merchandising_system 16.0
fasterxml jackson-databind 2.7.0
oracle banking_platform 2.6.1
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle banking_platform 2.6.2
oracle financial_services_analytical_applications_infrastructure 8.0.7
oracle jdeveloper 12.1.3.0.0
oracle primavera_unifier *
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
CVE-2018-19360 HIGH

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle primavera_p6_enterprise_project_portfolio_management 15.1
oracle primavera_unifier 16.1
oracle primavera_p6_enterprise_project_portfolio_management 15.2
fasterxml jackson-databind *
oracle primavera_p6_enterprise_project_portfolio_management 16.2
redhat openshift_container_platform 3.11
oracle primavera_unifier 16.2
oracle primavera_p6_enterprise_project_portfolio_management *
oracle retail_workforce_management_software 1.60.9.0.0
redhat automation_manager 7.3.1
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.3.0
oracle business_process_management_suite 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management 18.8
debian debian_linux 8.0
oracle primavera_p6_enterprise_project_portfolio_management 16.1
redhat jboss_brms 6.4.10
redhat decision_manager 7.3.1
oracle primavera_unifier *
oracle business_process_management_suite 12.2.1.3.0
redhat jboss_bpm_suite 6.4.11
CVE-2018-19361 HIGH

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle primavera_p6_enterprise_project_portfolio_management 15.1
oracle primavera_unifier 16.1
oracle primavera_p6_enterprise_project_portfolio_management 15.2
fasterxml jackson-databind *
oracle primavera_p6_enterprise_project_portfolio_management 16.2
redhat openshift_container_platform 3.11
oracle primavera_unifier 16.2
oracle primavera_p6_enterprise_project_portfolio_management *
oracle retail_workforce_management_software 1.60.9.0.0
redhat automation_manager 7.3.1
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.3.0
oracle business_process_management_suite 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management 18.8
debian debian_linux 8.0
oracle primavera_p6_enterprise_project_portfolio_management 16.1
redhat jboss_brms 6.4.10
redhat decision_manager 7.3.1
oracle primavera_unifier *
oracle business_process_management_suite 12.2.1.3.0
redhat jboss_bpm_suite 6.4.11
CVE-2018-19362 HIGH

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle primavera_p6_enterprise_project_portfolio_management 15.1
oracle primavera_unifier 16.1
oracle primavera_p6_enterprise_project_portfolio_management 15.2
fasterxml jackson-databind *
oracle primavera_p6_enterprise_project_portfolio_management 16.2
redhat openshift_container_platform 3.11
oracle primavera_unifier 16.2
oracle primavera_p6_enterprise_project_portfolio_management *
oracle retail_workforce_management_software 1.60.9.0.0
redhat automation_manager 7.3.1
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.3.0
oracle business_process_management_suite 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management 18.8
debian debian_linux 8.0
oracle primavera_p6_enterprise_project_portfolio_management 16.1
redhat jboss_brms 6.4.10
redhat decision_manager 7.3.1
oracle primavera_unifier *
oracle business_process_management_suite 12.2.1.3.0
redhat jboss_bpm_suite 6.4.11
CVE-2018-5968 MEDIUM

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 9.0
redhat openshift_container_platform 4.1
redhat virtualization 4.0
debian debian_linux 8.0
netapp oncommand_shift -
redhat jboss_enterprise_application_platform 7.1
netapp e-series_santricity_os_controller *
fasterxml jackson-databind *
redhat virtualization_host 4.0
netapp e-series_santricity_web_services_proxy -
redhat openshift_container_platform 3.11
CVE-2018-7489 HIGH

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 9.0
oracle communications_instant_messaging_server 10.0.1
redhat jboss_enterprise_application_platform 7.1.2
debian debian_linux 8.0
oracle communications_billing_and_revenue_management 7.5
redhat jboss_enterprise_application_platform 6.4.19
fasterxml jackson-databind *
oracle communications_billing_and_revenue_management 12.0
CVE-2019-10172 MEDIUM

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
debian debian_linux 9.0
redhat jboss_enterprise_application_platform 7.0
debian debian_linux 8.0
redhat jboss_fuse 7.0.0
apache spark 3.0.1
fasterxml jackson-mapper-asl *
CVE-2019-12086 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 8.0
fasterxml jackson-databind *
CVE-2019-12384 MEDIUM

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.5
debian debian_linux 8.0
redhat enterprise_linux 7.7
fasterxml jackson-databind *
redhat enterprise_linux 7.0
redhat enterprise_linux 7.4
redhat enterprise_linux 7.6
CVE-2019-12814 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 8.0
fasterxml jackson-databind *
CVE-2019-14379 HIGH

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.3
oracle jd_edwards_enterpriseone_tools 9.2
apple xcode *
fedoraproject fedora 30
oracle communications_instant_messaging_server 10.0.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.1
oracle retail_xstore_point_of_service 7.1
fasterxml jackson-databind *
oracle goldengate_stream_analytics *
redhat openshift_container_platform 3.11
redhat single_sign-on 7.3
netapp snapcenter -
oracle communications_diameter_signaling_router 8.0.0
oracle primavera_unifier 16.2
redhat jboss_enterprise_application_platform 7.2
oracle primavera_unifier 18.8
netapp service_level_manager -
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle primavera_gateway 17.12
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle siebel_ui_framework *
oracle banking_platform 2.4.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle communications_diameter_signaling_router 8.1
oracle siebel_engineering_-_installer_&_deployment *
oracle financial_services_analytical_applications_infrastructure *
oracle banking_platform 2.6.1
oracle banking_platform 2.7.1
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle communications_diameter_signaling_router 8.2
fedoraproject fedora 29
oracle primavera_gateway 18.8.0
netapp active_iq_unified_manager *
oracle primavera_gateway 15.2
oracle retail_xstore_point_of_service 15.0
oracle communications_diameter_signaling_router 8.2.1
oracle primavera_gateway 16.2
oracle retail_xstore_point_of_service 18.0
redhat openshift_container_platform 4.1
netapp oncommand_workflow_automation -
oracle primavera_unifier *
fedoraproject fedora 31
CVE-2019-14439 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
fedoraproject fedora 30
oracle communications_instant_messaging_server 10.0.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle retail_xstore_point_of_service 7.1
fasterxml jackson-databind *
oracle goldengate_stream_analytics *
oracle communications_diameter_signaling_router 8.0.0
debian debian_linux 9.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle siebel_ui_framework *
oracle banking_platform 2.4.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle global_lifecycle_management_opatch 13.9.4.2.1
oracle communications_diameter_signaling_router 8.1
oracle siebel_engineering_-_installer_&_deployment *
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle banking_platform 2.6.1
oracle banking_platform 2.7.1
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle communications_diameter_signaling_router 8.2
fedoraproject fedora 29
oracle primavera_gateway 18.8.0
oracle primavera_gateway 15.2
oracle retail_xstore_point_of_service 15.0
oracle communications_diameter_signaling_router 8.2.1
oracle global_lifecycle_management_opatch 11.2.0.3.23
oracle primavera_gateway 16.1
oracle primavera_gateway 16.2
oracle retail_xstore_point_of_service 18.0
apache drill 1.16.0
oracle primavera_gateway *
redhat jboss_middleware_text-only_advisories 1.0
debian debian_linux 10.0
CVE-2019-14540 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.3
oracle weblogic_server 12.2.1.3.0
fedoraproject fedora 30
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.1
oracle retail_xstore_point_of_service 7.1
fasterxml jackson-databind *
oracle goldengate_stream_analytics *
netapp steelstore_cloud_integrated_storage -
oracle primavera_unifier 16.2
redhat jboss_enterprise_application_platform 7.2
debian debian_linux 9.0
oracle primavera_unifier 18.8
oracle primavera_gateway 17.12.6
oracle primavera_gateway 17.12
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle banking_platform 2.4.0
oracle customer_management_and_segmentation_foundation 18.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle primavera_gateway 18.8.8.1
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle primavera_gateway 16.2.11
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_platform 2.6.1
oracle banking_platform 2.7.1
oracle primavera_unifier 19.12
oracle mysql *
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle primavera_gateway 18.8.0
oracle primavera_gateway 15.2
oracle retail_xstore_point_of_service 15.0
oracle primavera_gateway 16.2
oracle retail_xstore_point_of_service 18.0
oracle primavera_gateway 15.2.18
debian debian_linux 10.0
netapp oncommand_workflow_automation -
oracle primavera_unifier *
fedoraproject fedora 31
netapp oncommand_api_services -
CVE-2019-14892 HIGH

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-502,CWE-502,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.0
redhat jboss_data_grid -
redhat jboss_fuse 7.0.0
apache geode 1.12.0
redhat decision_manager 7.0
redhat process_automation 7.0
fasterxml jackson-databind *
redhat openshift_container_platform 4.3
redhat jboss_data_grid 7.0.0
CVE-2019-14893 HIGH

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-502,CWE-502,

Products Affected

Vendor Product Version
fasterxml jackson-databind *
oracle goldengate_stream_analytics *
netapp steelstore_cloud_integrated_storage -
netapp oncommand_api_services -
CVE-2019-16335 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.3
oracle weblogic_server 12.2.1.3.0
fedoraproject fedora 30
oracle retail_xstore_point_of_service 16.0
oracle retail_xstore_point_of_service 7.1
fasterxml jackson-databind *
oracle goldengate_stream_analytics *
netapp steelstore_cloud_integrated_storage -
redhat jboss_enterprise_application_platform 7.2
debian debian_linux 9.0
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle banking_platform 2.4.0
oracle customer_management_and_segmentation_foundation 18.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_platform 2.6.1
oracle banking_platform 2.7.1
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle primavera_gateway 18.8.0
oracle primavera_gateway 15.2
oracle retail_xstore_point_of_service 15.0
oracle primavera_gateway 16.1
oracle primavera_gateway 16.2
oracle retail_xstore_point_of_service 18.0
oracle primavera_gateway *
debian debian_linux 10.0
netapp oncommand_workflow_automation -
fedoraproject fedora 31
netapp oncommand_api_services -
CVE-2019-16942 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools 9.2
fedoraproject fedora 30
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle primavera_unifier 16.1
oracle banking_platform 2.9.0
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle database_server 19c
oracle primavera_gateway 19.12.0
oracle primavera_unifier 18.8
oracle jd_edwards_enterpriseone_orchestrator 9.2
redhat jboss_enterprise_application_platform 7.2.0
oracle webcenter_portal 12.2.1.3.0
oracle communications_calendar_server 8.0.0.2.0
oracle weblogic_server 12.2.1.4.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle retail_merchandising_system 16.0.2
oracle banking_platform 2.6.1
oracle primavera_unifier 19.12
oracle retail_merchandising_system 16.0.3
netapp active_iq_unified_manager *
oracle database_server 18c
oracle communications_calendar_server 8.0.0.3.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle primavera_gateway *
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.4.0
oracle primavera_unifier *
fedoraproject fedora 31
netapp oncommand_api_services -
redhat jboss_enterprise_application_platform 7.3
oracle weblogic_server 12.2.1.3.0
fasterxml jackson-databind *
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
oracle siebel_ui_framework 20.6
oracle primavera_unifier 16.2
debian debian_linux 9.0
netapp service_level_manager -
oracle siebel_ui_framework *
oracle banking_platform 2.4.0
debian debian_linux 8.0
oracle retail_sales_audit 14.1
oracle siebel_engineering_-_installer_&_deployment *
oracle goldengate_application_adapters 19.1.0.0.0
oracle database_server 12.2.0.1
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle banking_platform 2.6.2
oracle webcenter_sites 12.2.1.3.0
oracle webcenter_sites 12.2.1.4.0
netapp oncommand_workflow_automation -
CVE-2019-16943 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle trace_file_analyzer 12.2.0.1
oracle jd_edwards_enterpriseone_tools 9.2
fedoraproject fedora 30
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.9.0
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle primavera_gateway 19.12.0
redhat jboss_enterprise_application_platform 7.2
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle webcenter_portal 12.2.1.3.0
oracle communications_calendar_server 8.0.0.2.0
oracle weblogic_server 12.2.1.4.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle retail_merchandising_system 16.0.2
oracle banking_platform 2.6.1
oracle retail_merchandising_system 16.0.3
netapp active_iq_unified_manager *
oracle primavera_gateway 16.1
oracle primavera_gateway 16.2
oracle communications_calendar_server 8.0.0.3.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle primavera_gateway *
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.4.0
fedoraproject fedora 31
netapp oncommand_api_services -
redhat jboss_enterprise_application_platform 7.3
oracle weblogic_server 12.2.1.3.0
fasterxml jackson-databind *
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
debian debian_linux 9.0
netapp service_level_manager -
oracle trace_file_analyzer 19c
oracle banking_platform 2.4.0
debian debian_linux 8.0
oracle retail_sales_audit 14.1
oracle siebel_engineering_-_installer_&_deployment *
oracle goldengate_application_adapters 19.1.0.0.0
oracle trace_file_analyzer 18c
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle banking_platform 2.6.0
oracle banking_platform 2.5.0
oracle banking_platform 2.6.2
oracle webcenter_sites 12.2.1.3.0
oracle webcenter_sites 12.2.1.4.0
netapp oncommand_workflow_automation -
CVE-2019-17267 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle goldengate_application_adapters 19.1.0.0.0
redhat jboss_enterprise_application_platform 7.3
oracle weblogic_server 12.2.1.3.0
netapp active_iq_unified_manager *
fasterxml jackson-databind *
netapp steelstore_cloud_integrated_storage -
redhat jboss_enterprise_application_platform 7.2
netapp service_level_manager -
oracle retail_customer_management_and_segmentation_foundation 17.0
debian debian_linux 8.0
netapp oncommand_workflow_automation -
oracle customer_management_and_segmentation_foundation *
netapp oncommand_api_services -
CVE-2019-17531 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle trace_file_analyzer 12.2.0.1
redhat jboss_enterprise_application_platform 7.3
oracle jd_edwards_enterpriseone_tools 9.2
oracle weblogic_server 12.2.1.3.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
fasterxml jackson-databind *
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle banking_platform 2.9.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle primavera_gateway 19.12.0
redhat jboss_enterprise_application_platform 7.2
oracle trace_file_analyzer 19c
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle webcenter_portal 12.2.1.3.0
oracle banking_platform 2.4.0
oracle communications_calendar_server 8.0.0.2.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle banking_platform 2.4.1
oracle banking_platform 2.7.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle retail_merchandising_system 16.0.2
oracle retail_sales_audit 14.1
oracle siebel_engineering_-_installer_&_deployment *
oracle goldengate_application_adapters 19.1.0.0.0
oracle trace_file_analyzer 18c
oracle banking_platform 2.6.1
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle banking_platform 2.6.0
oracle retail_merchandising_system 16.0.3
oracle banking_platform 2.5.0
oracle banking_platform 2.6.2
oracle webcenter_sites 12.2.1.3.0
oracle webcenter_sites 12.2.1.4.0
oracle primavera_gateway 16.1
oracle primavera_gateway 16.2
oracle communications_calendar_server 8.0.0.3.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle primavera_gateway *
netapp oncommand_workflow_automation -
oracle webcenter_portal 12.2.1.4.0
CVE-2019-20330 HIGH

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle trace_file_analyzer 12.2.0.1
oracle weblogic_server 12.2.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_network_charging_and_control *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle primavera_unifier 16.1
fasterxml jackson-databind *
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle goldengate_stream_analytics *
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
netapp snapcenter -
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
netapp service_level_manager -
oracle trace_file_analyzer 19c
oracle siebel_ui_framework *
oracle webcenter_portal 12.2.1.3.0
oracle customer_management_and_segmentation_foundation 18.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_platform *
oracle retail_merchandising_system 16.0.2
oracle enterprise_manager_base_platform 13.4.0.0
oracle retail_sales_audit 14.1
oracle siebel_engineering_-_installer_&_deployment *
oracle global_lifecycle_management_opatch *
oracle goldengate_application_adapters 19.1.0.0.0
oracle trace_file_analyzer 18c
oracle retail_merchandising_system 15.0.3
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle retail_merchandising_system 16.0.3
oracle communications_network_charging_and_control 6.0.1
netapp active_iq_unified_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle retail_xstore_point_of_service 15.0
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
netapp oncommand_api_services -
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-10650

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
debian debian_linux 10.0
oracle retail_merchandising_system 15.0
fasterxml jackson-databind 2.10.0
fasterxml jackson-databind *
oracle retail_sales_audit 14.1
CVE-2020-10672 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-10673 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-10968 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-10969 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-11111 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle retail_xstore_point_of_service 16.0
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle enterprise_manager_base_platform 13.4.0.0
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-11112 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-11113 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.3.0
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-11619 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
fasterxml jackson-databind *
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle enterprise_manager_base_platform 13.4.0.0
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle communications_network_charging_and_control 6.0.1
netapp active_iq_unified_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-11620 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle weblogic_server 12.2.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
fasterxml jackson-databind *
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle enterprise_manager_base_platform 13.4.0.0
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle communications_network_charging_and_control 6.0.1
netapp active_iq_unified_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle retail_xstore_point_of_service 15.0
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-14060 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle banking_digital_experience 18.3
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 19.1
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle communications_session_report_manager *
oracle communications_contacts_server 8.0.0.5.0
oracle agile_plm 9.3.6
CVE-2020-14061 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle banking_digital_experience 18.3
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 19.1
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle communications_session_report_manager *
oracle communications_contacts_server 8.0.0.5.0
oracle agile_plm 9.3.6
debian debian_linux 8.0
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-14062 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle banking_digital_experience 18.3
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 19.1
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle communications_session_report_manager *
oracle communications_contacts_server 8.0.0.5.0
oracle agile_plm 9.3.6
debian debian_linux 8.0
CVE-2020-14195 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle banking_digital_experience 18.3
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 19.1
netapp steelstore_cloud_integrated_storage -
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle communications_session_report_manager *
oracle communications_contacts_server 8.0.0.5.0
oracle agile_plm 9.3.6
debian debian_linux 8.0
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-24616 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_calendar_server 8.0.0.4.0
oracle communications_services_gatekeeper 7.0
oracle banking_supply_chain_finance 14.5
oracle communications_calendar_server 8.0
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle communications_messaging_server 8.1
debian debian_linux 9.0
oracle identity_manager_connector 11.1.1.5.0
oracle siebel_ui_framework *
oracle communications_contacts_server 8.0.0.5.0
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
netapp active_iq_unified_manager -
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_element_manager *
oracle communications_unified_inventory_management 7.4.1
oracle communications_contacts_server 8.0
oracle banking_liquidity_management 14.3
oracle communications_diameter_signaling_router *
oracle communications_pricing_design_center 12.0.0.4.0
oracle banking_supply_chain_finance 14.2
oracle communications_instant_messaging_server 10.0.1.5.0
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle banking_liquidity_management 14.5
oracle agile_plm 9.3.6
oracle banking_liquidity_management 14.2
CVE-2020-24750 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle communications_services_gatekeeper 7.0
oracle communications_calendar_server 8.0
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle communications_session_report_manager *
oracle communications_messaging_server 8.1
debian debian_linux 9.0
oracle identity_manager_connector 11.1.1.5.0
oracle banking_credit_facilities_process_management 14.3.0
oracle siebel_ui_framework *
oracle communications_contacts_server 8.0.0.5.0
oracle banking_credit_facilities_process_management 14.2.0
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.5.0
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_element_manager *
oracle communications_unified_inventory_management 7.4.1
oracle banking_supply_chain_finance 14.2.0
oracle banking_supply_chain_finance 14.3.0
oracle communications_contacts_server 8.0
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_corporate_lending_process_management 14.3.0
oracle banking_liquidity_management 14.3
oracle communications_diameter_signaling_router *
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle siebel_core_-_server_framework *
oracle communications_policy_management 12.5.0
oracle banking_liquidity_management 14.5
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle agile_plm 9.3.6
oracle banking_corporate_lending_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_liquidity_management 14.2
CVE-2020-25649 MEDIUM

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle banking_apis 20.1
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.8.0
oracle banking_platform 2.9.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle retail_xstore_point_of_service 18.0.3
fedoraproject fedora 32
oracle banking_apis 21.1
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_platform 2.7.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle retail_service_backbone 16.0.3
oracle utilities_framework 4.3.0.5.0
oracle banking_apis 19.1
oracle banking_platform 2.10.0
oracle retail_xstore_point_of_service 20.0.1
oracle communications_unified_inventory_management 7.4.1
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle primavera_gateway *
oracle utilities_framework 4.4.0.2.0
oracle utilities_framework 4.4.0.3.0
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_interactive_session_recorder 6.4
oracle communications_network_charging_and_control 12.0.4.0.0
oracle insurance_policy_administration *
oracle sd-wan_edge 9.0
netapp oncommand_api_services -
oracle banking_apis 19.2
oracle banking_apis *
fasterxml jackson-databind *
oracle agile_product_lifecycle_management_integration_pack 3.6
oracle retail_service_backbone 14.1.3.2
oracle communications_messaging_server 8.1
oracle coherence 14.1.1.0.0
oracle communications_interactive_session_recorder 6.3
netapp service_level_manager -
oracle retail_xstore_point_of_service 16.0.6
quarkus quarkus *
oracle health_sciences_empirica_signal 9.0
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_platform 2.7.1
oracle commerce_platform *
apache iotdb *
oracle banking_platform 2.6.2
oracle primavera_gateway 20.12.0
oracle insurance_rules_palette 11.0.2
oracle utilities_framework 4.4.0.0.0
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_messaging_server 8.0.2
oracle retail_service_backbone 15.0.3.1
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle utilities_framework 4.3.0.6.0
oracle health_sciences_empirica_signal 9.1
oracle agile_plm 9.3.6
netapp oncommand_workflow_automation -
oracle coherence 12.2.1.4.0
CVE-2020-28491 MEDIUM

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
fasterxml jackson-dataformats-binary 2.12.0
quarkus quarkus *
oracle weblogic_server 12.2.1.4.0
fasterxml jackson-dataformats-binary *
CVE-2020-35490 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle banking_platform 2.8.0
oracle banking_platform 2.9.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_policy 1.14.0
oracle retail_xstore_point_of_service 18.0.3
debian debian_linux 9.0
oracle communications_interactive_session_recorder 6.3
netapp service_level_manager -
oracle webcenter_portal 12.2.1.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle banking_platform 2.7.0
oracle documaker 12.6.3
oracle blockchain_platform *
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.10.0
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.6.2
oracle documaker 12.6.4
oracle communications_diameter_signaling_router *
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_policy_administration_j2ee 11.2.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle banking_treasury_management 14.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_interactive_session_recorder 6.4
oracle banking_virtual_account_management 14.5.0
CVE-2020-35491 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle banking_platform 2.8.0
oracle banking_platform 2.9.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_policy 1.14.0
oracle retail_xstore_point_of_service 18.0.3
debian debian_linux 9.0
netapp service_level_manager -
oracle webcenter_portal 12.2.1.3.0
oracle insurance_policy_administration_j2ee 11.0.2
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle banking_platform 2.7.0
oracle documaker 12.6.3
oracle blockchain_platform *
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.10.0
oracle retail_customer_management_and_segmentation_foundation *
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.6.2
oracle documaker 12.6.4
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle communications_diameter_signaling_route -
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle banking_treasury_management 14.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_diameter_signaling_route *
oracle banking_virtual_account_management 14.5.0
oracle sd-wan_edge 9.0
CVE-2020-35728 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle communications_unified_inventory_management 7.4.1
oracle autovue 21.0.2
oracle banking_supply_chain_finance 14.2
oracle banking_corporate_lending_process_management 14.5
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle banking_treasury_management 14.4
oracle communications_diameter_signaling_route *
CVE-2020-36179 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_virtual_account_management 14.3.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle communications_unified_inventory_management 7.4.1
oracle banking_supply_chain_finance 14.2
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle communications_session_report_manager *
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle banking_treasury_management 14.4
oracle communications_diameter_signaling_route *
CVE-2020-36180 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36181 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36182 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36183 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36184 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36185 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36186 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36187 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36188 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_supply_chain_finance 14.5
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_credit_facilities_process_management 14.3
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle banking_extensibility_workbench 14.2
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.4.0
oracle communications_element_manager *
oracle documaker 12.6.0
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle banking_supply_chain_finance 14.2
oracle banking_treasury_management 4.4
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_corporate_lending_process_management 14.5
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle banking_credit_facilities_process_management 14.2
oracle communications_session_route_manager *
oracle banking_corporate_lending_process_management 14.3
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_extensibility_workbench 14.3
oracle communications_session_report_manager *
oracle banking_extensibility_workbench 14.5
debian debian_linux 9.0
netapp service_level_manager -
oracle banking_credit_facilities_process_management 14.5
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle banking_supply_chain_finance 14.3
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_corporate_lending_process_management 14.2
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle primavera_gateway 20.12.0
oracle retail_service_backbone 16.0.3.0
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
oracle retail_service_backbone 15.0.3.1
oracle communications_policy_management 12.5.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle primavera_unifier 17.2
oracle communications_diameter_signaling_route *
CVE-2020-36189 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_services_gatekeeper 7.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle insurance_rules_palette *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.8.0
oracle banking_platform 2.9.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_evolved_communications_application_server 7.1
oracle retail_xstore_point_of_service 18.0.3
oracle primavera_unifier 18.8
oracle commerce_platform 11.2.0
oracle webcenter_portal 12.2.1.3.0
oracle primavera_unifier 20.12
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_platform 2.7.0
oracle documaker 12.6.3
oracle banking_virtual_account_management 14.3.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle retail_service_backbone 16.0.3
oracle banking_platform 2.10.0
oracle primavera_unifier 19.12
oracle communications_unified_inventory_management 7.4.1
oracle documaker 12.6.4
oracle communications_instant_messaging_server 10.0.1.5.0
netapp cloud_backup -
oracle primavera_gateway *
oracle webcenter_portal 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_interactive_session_recorder 6.4
oracle communications_network_charging_and_control 12.0.4.0.0
oracle banking_virtual_account_management 14.5.0
oracle primavera_unifier *
oracle insurance_policy_administration *
oracle communications_session_route_manager *
fasterxml jackson-databind *
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle communications_cloud_native_core_policy 1.14.0
oracle communications_messaging_server 8.1
debian debian_linux 9.0
oracle communications_interactive_session_recorder 6.3
netapp service_level_manager -
oracle banking_virtual_account_management 14.2.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_policy_administration 11.0.2
oracle blockchain_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle retail_customer_management_and_segmentation_foundation *
oracle banking_platform 2.7.1
oracle retail_merchandising_system 15.0.3
oracle commerce_platform *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_platform 2.6.2
oracle primavera_gateway 20.12.0
oracle insurance_rules_palette 11.0.2
oracle communications_diameter_signaling_router *
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_messaging_server 8.0.2
oracle retail_service_backbone 15.0.3.1
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_xstore_point_of_service 17.0.4
oracle agile_plm 9.3.6
oracle banking_treasury_management 14.4
CVE-2020-36518 MEDIUM

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
oracle commerce_platform 11.3.2
oracle financial_services_analytical_applications_infrastructure 8.1.2.0
oracle primavera_unifier 20.12
oracle financial_services_enterprise_case_management 8.0.7.2
oracle health_sciences_empirica_signal 9.1.0.5.2
oracle global_lifecycle_management_nextgen_oui_framework *
oracle weblogic_server 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 22.2.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle utilities_framework 4.3.0.5.0
debian debian_linux 11.0
netapp snap_creator_framework -
netapp active_iq_unified_manager -
oracle primavera_unifier 19.12
netapp oncommand_insight -
oracle big_data_spatial_and_graph *
oracle financial_services_analytical_applications_infrastructure 8.1.2.1
oracle financial_services_enterprise_case_management 8.0.8.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle primavera_gateway *
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle utilities_framework 4.4.0.3.0
oracle commerce_platform 11.3.0
oracle communications_billing_and_revenue_management *
oracle primavera_unifier *
oracle communications_cloud_native_core_console 1.9.0
oracle financial_services_enterprise_case_management *
oracle communications_cloud_native_core_service_communication_proxy 22.2.0
oracle financial_services_trade-based_anti_money_laundering 8.0.7
oracle sd-wan_edge 9.0
oracle weblogic_server 12.2.1.3.0
oracle financial_services_behavior_detection_platform *
oracle financial_services_enterprise_case_management 8.0.8.1
oracle sd-wan_edge 9.1
oracle weblogic_server 14.1.1.0.0
oracle primavera_unifier 21.12
fasterxml jackson-databind *
oracle retail_sales_audit 15.0.3.1
oracle spatial_studio *
oracle communications_cloud_native_core_network_repository_function 22.1.2
oracle financial_services_analytical_applications_infrastructure 8.1.1.0
debian debian_linux 9.0
oracle coherence 14.1.1.0.0
netapp cloud_insights_acquisition_unit -
oracle commerce_platform 11.3.1
oracle financial_services_behavior_detection_platform 8.0.7.0.0
oracle primavera_unifier 18.0
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle communications_cloud_native_core_network_slice_selection_function 22.1.0
oracle communications_cloud_native_core_network_slice_selection_function 22.1.1
oracle financial_services_trade-based_anti_money_laundering 8.0.8
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle financial_services_behavior_detection_platform 8.0.8
oracle utilities_framework 4.4.0.0.0
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle utilities_framework 4.3.0.6.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_workflow_automation -
oracle financial_services_enterprise_case_management 8.0.7.1
oracle utilities_framework 4.4.0.5.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle graph_server_and_client *
CVE-2020-8840 HIGH

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
huawei oceanstor_9000_firmware v300r006c20spc200
netapp service_level_manager -
huawei oceanstor_9000_firmware v300r006c20
debian debian_linux 8.0
netapp oncommand_workflow_automation -
fasterxml jackson-databind *
huawei oceanstor_9000_firmware v300r006c20spc100
huawei oceanstor_9000_firmware v300r006c20spc300
netapp steelstore_cloud_integrated_storage -
netapp oncommand_api_services -
oracle global_lifecycle_management_opatch *
CVE-2020-9546 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 19.2
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle enterprise_manager_base_platform 13.4.0.0
oracle primavera_unifier 19.12
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 18.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_session_route_manager *
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
oracle retail_service_backbone 16.0
oracle banking_digital_experience 18.2
oracle retail_service_backbone 15.0
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
oracle financial_services_institutional_performance_analytics 8.7.0
debian debian_linux 8.0
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 14.1
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-9547 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle weblogic_server 12.2.1.3.0
oracle retail_xstore_point_of_service 16.0
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
fasterxml jackson-databind *
oracle communications_evolved_communications_application_server 7.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle banking_platform *
oracle enterprise_manager_base_platform 13.4.0.0
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
netapp active_iq_unified_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle retail_xstore_point_of_service 15.0
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2020-9548 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle communications_session_route_manager *
oracle banking_digital_experience 19.2
oracle communications_calendar_server 8.0.0.4.0
oracle weblogic_server 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle retail_xstore_point_of_service 16.0
oracle communications_network_charging_and_control *
oracle primavera_unifier 16.1
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle communications_evolved_communications_application_server 7.1
oracle banking_digital_experience 20.1
oracle primavera_unifier 16.2
oracle communications_session_report_manager *
oracle primavera_unifier 18.8
oracle communications_contacts_server 8.0.0.5.0
oracle retail_xstore_point_of_service 17.0
debian debian_linux 8.0
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle retail_merchandising_system 15.0
oracle banking_platform *
oracle enterprise_manager_base_platform 13.4.0.0
oracle retail_sales_audit 14.1
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.4.0
oracle primavera_unifier 19.12
oracle communications_network_charging_and_control 6.0.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_element_manager *
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.3.0.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 15.0
oracle banking_digital_experience 19.1
oracle retail_xstore_point_of_service 18.0
oracle retail_xstore_point_of_service 19.0
oracle agile_plm 9.3.6
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier *
oracle communications_instant_messaging_server 10.0.1.4.0
CVE-2021-20190 HIGH

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
apache nifi *
netapp active_iq_unified_manager -
debian debian_linux 9.0
netapp oncommand_insight -
netapp service_level_manager -
fasterxml jackson-databind *
netapp oncommand_api_services -
oracle commerce_guided_search_and_experience_manager 11.3.2
CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Products Affected

Vendor Product Version
xstream_project xstream *
fasterxml woodstox *
CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Products Affected

Vendor Product Version
debian debian_linux 11.0
debian debian_linux 10.0
netapp oncommand_workflow_automation -
quarkus quarkus *
fasterxml jackson-databind *
CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Products Affected

Vendor Product Version
debian debian_linux 11.0
debian debian_linux 10.0
netapp oncommand_workflow_automation -
quarkus quarkus *
fasterxml jackson-databind *
CVE-2023-35116

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

Products Affected

Vendor Product Version
fasterxml jackson-databind *
CVE-2023-3894

Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
fasterxml jackson-dataformats-text *
CVE-2026-29062

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

Products Affected

Vendor Product Version
fasterxml jackson-core *