XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 24 |
| fasterxml | jackson-dataformat-xml | * |
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N | 3.9 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-918,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-dataformat-xml | 2.8.0 |
| fasterxml | jackson-dataformat-xml | 2.8.1 |
| fasterxml | jackson-dataformat-xml | 2.8.2 |
| fasterxml | jackson-dataformat-xml | * |
| fasterxml | jackson-dataformat-xml | 2.8.3 |
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-184,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| redhat | satellite | 6.4 |
| fasterxml | jackson-databind | 2.9.0 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| redhat | jboss_enterprise_application_platform | 7.1.0 |
| oracle | primavera_unifier | 16.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | communications_instant_messaging_server | 10.0.1.2.0 |
| fasterxml | jackson-databind | * |
| oracle | utilities_advanced_spatial_and_operational_analytics | 2.7.0.1 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 |
| redhat | openshift_container_platform | 3.11 |
| redhat | satellite_capsule | 6.4 |
| oracle | database_server | 18.1 |
| netapp | snapcenter | - |
| oracle | primavera_unifier | 16.2 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_shift | - |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2 |
| redhat | jboss_enterprise_application_platform | 6.4.0 |
| oracle | identity_manager | 11.1.2.3.0 |
| oracle | database_server | 12.2.0.1 |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | global_lifecycle_management_opatchauto | * |
| oracle | banking_platform | 2.5.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4 |
| oracle | banking_platform | 2.6.2 |
| redhat | jboss_enterprise_application_platform | 6.0.0 |
| oracle | identity_manager | 12.2.1.3.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 |
| oracle | communications_diameter_signaling_router | * |
| netapp | oncommand_performance_manager | - |
| redhat | openshift_container_platform | 4.1 |
| oracle | clusterware | 12.1.0.2.0 |
| oracle | primavera_unifier | * |
| netapp | oncommand_balance | - |
| oracle | communications_billing_and_revenue_management | 12.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5 |
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 6.0.0 |
| netapp | e-series_santricity_os_controller | * |
| fasterxml | jackson-databind | * |
| redhat | openshift_container_platform | 3.11 |
| netapp | snapcenter | - |
| debian | debian_linux | 9.0 |
| redhat | openshift_container_platform | 4.1 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_shift | - |
| redhat | jboss_enterprise_application_platform | 7.1 |
| redhat | jboss_enterprise_application_platform | 6.4.0 |
| netapp | e-series_santricity_web_services_proxy | - |
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-184,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-databind | 2.9.0 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| redhat | jboss_enterprise_application_platform | 7.0 |
| oracle | primavera_unifier | 16.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | communications_instant_messaging_server | 10.0.1.2.0 |
| fasterxml | jackson-databind | * |
| redhat | virtualization_host | 4.0 |
| oracle | utilities_advanced_spatial_and_operational_analytics | 2.7.0.1 |
| redhat | openshift_container_platform | 3.11 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2.0.0 |
| netapp | snapcenter | - |
| oracle | primavera_unifier | 16.2 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_shift | - |
| redhat | jboss_enterprise_application_platform | 7.1 |
| redhat | jboss_enterprise_application_platform | 6.4.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4.0.0 |
| oracle | communications_instant_messaging_server | 10.0.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | global_lifecycle_management_opatchauto | * |
| oracle | banking_platform | 2.5.0 |
| oracle | banking_platform | 2.6.2 |
| redhat | jboss_enterprise_application_platform | 6.0.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7.0.0 |
| netapp | oncommand_performance_manager | - |
| oracle | communications_communications_policy_management | * |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6.0.0 |
| redhat | openshift_container_platform | 4.1 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5.0.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3.0.0 |
| redhat | virtualization | 4.0 |
| oracle | communications_diameter_signaling_route | * |
| oracle | primavera_unifier | * |
| netapp | oncommand_balance | - |
| oracle | communications_billing_and_revenue_management | 12.0 |
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | database_server | 12.2.0.1 |
| fasterxml | jackson-modules-java8 | * |
| oracle | database_server | 18c |
| oracle | clusterware | 12.1.0.2.0 |
| oracle | nosql_database | * |
| netapp | active_iq_unified_manager | * |
| oracle | database_server | 12.1.0.2 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | database_server | 19c |
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openshift_container_platform | 4.1 |
| oracle | clusterware | 12.1.0.2.0 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | communications_instant_messaging_server | 10.0.1.2.0 |
| fasterxml | jackson-databind | * |
| oracle | utilities_advanced_spatial_and_operational_analytics | 2.7.0.1 |
| redhat | openshift_container_platform | 3.11 |
| oracle | global_lifecycle_management_opatch | * |
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| redhat | automation_manager | 7.3.1 |
| debian | debian_linux | 9.0 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| fedoraproject | fedora | 29 |
| redhat | jboss_brms | 6.4.10 |
| oracle | retail_merchandising_system | 15.0 |
| redhat | decision_manager | 7.3.1 |
| fasterxml | jackson-databind | * |
| redhat | openshift_container_platform | 3.11 |
| redhat | single_sign-on | 7.3 |
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| redhat | automation_manager | 7.3.1 |
| debian | debian_linux | 9.0 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| fedoraproject | fedora | 29 |
| redhat | jboss_brms | 6.4.10 |
| oracle | retail_merchandising_system | 15.0 |
| redhat | decision_manager | 7.3.1 |
| fasterxml | jackson-databind | * |
| redhat | openshift_container_platform | 3.11 |
| redhat | single_sign-on | 7.3 |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| oracle | jdeveloper | 12.2.1.3.0 |
| redhat | openshift_container_platform | 3.10 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 |
| netapp | steelstore_cloud_integrated_storage | - |
| netapp | snapcenter | - |
| oracle | primavera_unifier | 18.8 |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | business_process_management_suite | 12.2.1.3.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | jdeveloper | 12.1.3.0.0 |
| oracle | business_process_management_suite | 12.1.3.0.0 |
| redhat | openshift_container_platform | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.1 |
| oracle | primavera_unifier | * |
| oracle | communications_billing_and_revenue_management | 12.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5 |
| oracle | communications_instant_messaging_server | 10.0.1.3.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.2 |
| fasterxml | jackson-databind | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.2 |
| oracle | primavera_unifier | 16.2 |
| oracle | retail_workforce_management_software | 1.60.9.0.0 |
| debian | debian_linux | 9.0 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | siebel_ui_framework | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2 |
| oracle | retail_merchandising_system | 16.0 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | global_lifecycle_management_opatch | * |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | nosql_database | * |
| oracle | banking_platform | 2.6.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 |
| netapp | oncommand_workflow_automation | - |
| oracle | nosql_database | 19.3.12 |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jdeveloper | 12.2.1.3.0 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.2 |
| fasterxml | jackson-databind | * |
| netapp | steelstore_cloud_integrated_storage | * |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.2 |
| oracle | database_server | 19c |
| netapp | snapcenter | - |
| oracle | primavera_unifier | 16.2 |
| oracle | retail_workforce_management_software | 1.60.9.0.0 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2 |
| oracle | retail_merchandising_system | 16.0 |
| oracle | business_process_management_suite | 12.2.1.3.0 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | database_server | 12.2.0.1 |
| oracle | banking_platform | 2.6.1 |
| oracle | database_server | 11.2.0.4 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4 |
| oracle | banking_platform | 2.6.2 |
| oracle | database_server | 12.1.0.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | database_server | 18c |
| oracle | jdeveloper | 12.1.3.0.0 |
| oracle | clusterware | 12.1.0.2.0 |
| oracle | business_process_management_suite | 12.1.3.0.0 |
| redhat | openshift_container_platform | * |
| netapp | oncommand_workflow_automation | - |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.1 |
| oracle | primavera_unifier | * |
| oracle | communications_billing_and_revenue_management | 12.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5 |
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jdeveloper | 12.2.1.3.0 |
| fasterxml | jackson-databind | 2.9.0 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| fasterxml | jackson-databind | * |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 |
| fasterxml | jackson-databind | 2.8.0 |
| redhat | openshift_container_platform | 3.11 |
| oracle | primavera_unifier | 16.2 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2 |
| oracle | retail_merchandising_system | 16.0 |
| fasterxml | jackson-databind | 2.7.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4 |
| oracle | banking_platform | 2.6.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 |
| oracle | jdeveloper | 12.1.3.0.0 |
| oracle | primavera_unifier | * |
| oracle | communications_billing_and_revenue_management | 12.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5 |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-918,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jdeveloper | 12.2.1.3.0 |
| fasterxml | jackson-databind | 2.9.0 |
| oracle | enterprise_manager_for_virtualization | 13.3.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| fasterxml | jackson-databind | * |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 |
| fasterxml | jackson-databind | 2.8.0 |
| redhat | openshift_container_platform | 3.11 |
| oracle | primavera_unifier | 16.2 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | enterprise_manager_for_virtualization | 13.2.3 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | enterprise_manager_for_virtualization | 13.2.2 |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.3 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.2 |
| oracle | retail_merchandising_system | 16.0 |
| fasterxml | jackson-databind | 2.7.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.4 |
| oracle | banking_platform | 2.6.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 |
| oracle | jdeveloper | 12.1.3.0.0 |
| oracle | primavera_unifier | * |
| oracle | communications_billing_and_revenue_management | 12.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.5 |
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.2 |
| fasterxml | jackson-databind | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.2 |
| redhat | openshift_container_platform | 3.11 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | retail_workforce_management_software | 1.60.9.0.0 |
| redhat | automation_manager | 7.3.1 |
| oracle | primavera_unifier | 18.8 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | business_process_management_suite | 12.1.3.0.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 18.8 |
| debian | debian_linux | 8.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.1 |
| redhat | jboss_brms | 6.4.10 |
| redhat | decision_manager | 7.3.1 |
| oracle | primavera_unifier | * |
| oracle | business_process_management_suite | 12.2.1.3.0 |
| redhat | jboss_bpm_suite | 6.4.11 |
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.2 |
| fasterxml | jackson-databind | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.2 |
| redhat | openshift_container_platform | 3.11 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | retail_workforce_management_software | 1.60.9.0.0 |
| redhat | automation_manager | 7.3.1 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | business_process_management_suite | 12.1.3.0.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 18.8 |
| debian | debian_linux | 8.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.1 |
| redhat | jboss_brms | 6.4.10 |
| redhat | decision_manager | 7.3.1 |
| oracle | primavera_unifier | * |
| oracle | business_process_management_suite | 12.2.1.3.0 |
| redhat | jboss_bpm_suite | 6.4.11 |
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.1 |
| oracle | primavera_unifier | 16.1 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 15.2 |
| fasterxml | jackson-databind | * |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.2 |
| redhat | openshift_container_platform | 3.11 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | retail_workforce_management_software | 1.60.9.0.0 |
| redhat | automation_manager | 7.3.1 |
| oracle | primavera_unifier | 18.8 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | business_process_management_suite | 12.1.3.0.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 18.8 |
| debian | debian_linux | 8.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | 16.1 |
| redhat | jboss_brms | 6.4.10 |
| redhat | decision_manager | 7.3.1 |
| oracle | primavera_unifier | * |
| oracle | business_process_management_suite | 12.2.1.3.0 |
| redhat | jboss_bpm_suite | 6.4.11 |
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-184,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| redhat | openshift_container_platform | 4.1 |
| redhat | virtualization | 4.0 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_shift | - |
| redhat | jboss_enterprise_application_platform | 7.1 |
| netapp | e-series_santricity_os_controller | * |
| fasterxml | jackson-databind | * |
| redhat | virtualization_host | 4.0 |
| netapp | e-series_santricity_web_services_proxy | - |
| redhat | openshift_container_platform | 3.11 |
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-184,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| oracle | communications_instant_messaging_server | 10.0.1 |
| redhat | jboss_enterprise_application_platform | 7.1.2 |
| debian | debian_linux | 8.0 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| redhat | jboss_enterprise_application_platform | 6.4.19 |
| fasterxml | jackson-databind | * |
| oracle | communications_billing_and_revenue_management | 12.0 |
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| redhat | jboss_enterprise_application_platform | 7.0 |
| debian | debian_linux | 8.0 |
| redhat | jboss_fuse | 7.0.0 |
| apache | spark | 3.0.1 |
| fasterxml | jackson-mapper-asl | * |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| debian | debian_linux | 8.0 |
| fasterxml | jackson-databind | * |
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.5 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux | 7.7 |
| fasterxml | jackson-databind | * |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 7.4 |
| redhat | enterprise_linux | 7.6 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| fasterxml | jackson-databind | * |
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-1321,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| apple | xcode | * |
| fedoraproject | fedora | 30 |
| oracle | communications_instant_messaging_server | 10.0.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | primavera_unifier | 16.1 |
| oracle | retail_xstore_point_of_service | 7.1 |
| fasterxml | jackson-databind | * |
| oracle | goldengate_stream_analytics | * |
| redhat | openshift_container_platform | 3.11 |
| redhat | single_sign-on | 7.3 |
| netapp | snapcenter | - |
| oracle | communications_diameter_signaling_router | 8.0.0 |
| oracle | primavera_unifier | 16.2 |
| redhat | jboss_enterprise_application_platform | 7.2 |
| oracle | primavera_unifier | 18.8 |
| netapp | service_level_manager | - |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| oracle | primavera_gateway | 17.12 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | siebel_ui_framework | * |
| oracle | banking_platform | 2.4.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | communications_diameter_signaling_router | 8.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | communications_diameter_signaling_router | 8.2 |
| fedoraproject | fedora | 29 |
| oracle | primavera_gateway | 18.8.0 |
| netapp | active_iq_unified_manager | * |
| oracle | primavera_gateway | 15.2 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | communications_diameter_signaling_router | 8.2.1 |
| oracle | primavera_gateway | 16.2 |
| oracle | retail_xstore_point_of_service | 18.0 |
| redhat | openshift_container_platform | 4.1 |
| netapp | oncommand_workflow_automation | - |
| oracle | primavera_unifier | * |
| fedoraproject | fedora | 31 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| fedoraproject | fedora | 30 |
| oracle | communications_instant_messaging_server | 10.0.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | retail_xstore_point_of_service | 7.1 |
| fasterxml | jackson-databind | * |
| oracle | goldengate_stream_analytics | * |
| oracle | communications_diameter_signaling_router | 8.0.0 |
| debian | debian_linux | 9.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | siebel_ui_framework | * |
| oracle | banking_platform | 2.4.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | global_lifecycle_management_opatch | 13.9.4.2.1 |
| oracle | communications_diameter_signaling_router | 8.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | communications_diameter_signaling_router | 8.2 |
| fedoraproject | fedora | 29 |
| oracle | primavera_gateway | 18.8.0 |
| oracle | primavera_gateway | 15.2 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | communications_diameter_signaling_router | 8.2.1 |
| oracle | global_lifecycle_management_opatch | 11.2.0.3.23 |
| oracle | primavera_gateway | 16.1 |
| oracle | primavera_gateway | 16.2 |
| oracle | retail_xstore_point_of_service | 18.0 |
| apache | drill | 1.16.0 |
| oracle | primavera_gateway | * |
| redhat | jboss_middleware_text-only_advisories | 1.0 |
| debian | debian_linux | 10.0 |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | weblogic_server | 12.2.1.3.0 |
| fedoraproject | fedora | 30 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | primavera_unifier | 16.1 |
| oracle | retail_xstore_point_of_service | 7.1 |
| fasterxml | jackson-databind | * |
| oracle | goldengate_stream_analytics | * |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | primavera_unifier | 16.2 |
| redhat | jboss_enterprise_application_platform | 7.2 |
| debian | debian_linux | 9.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | primavera_gateway | 17.12.6 |
| oracle | primavera_gateway | 17.12 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | banking_platform | 2.4.0 |
| oracle | customer_management_and_segmentation_foundation | 18.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | primavera_gateway | 18.8.8.1 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | primavera_gateway | 16.2.11 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | primavera_unifier | 19.12 |
| oracle | mysql | * |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | primavera_gateway | 18.8.0 |
| oracle | primavera_gateway | 15.2 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | primavera_gateway | 16.2 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | primavera_gateway | 15.2.18 |
| debian | debian_linux | 10.0 |
| netapp | oncommand_workflow_automation | - |
| oracle | primavera_unifier | * |
| fedoraproject | fedora | 31 |
| netapp | oncommand_api_services | - |
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-200,CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.0 |
| redhat | jboss_data_grid | - |
| redhat | jboss_fuse | 7.0.0 |
| apache | geode | 1.12.0 |
| redhat | decision_manager | 7.0 |
| redhat | process_automation | 7.0 |
| fasterxml | jackson-databind | * |
| redhat | openshift_container_platform | 4.3 |
| redhat | jboss_data_grid | 7.0.0 |
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-200,CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-databind | * |
| oracle | goldengate_stream_analytics | * |
| netapp | steelstore_cloud_integrated_storage | - |
| netapp | oncommand_api_services | - |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | weblogic_server | 12.2.1.3.0 |
| fedoraproject | fedora | 30 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | retail_xstore_point_of_service | 7.1 |
| fasterxml | jackson-databind | * |
| oracle | goldengate_stream_analytics | * |
| netapp | steelstore_cloud_integrated_storage | - |
| redhat | jboss_enterprise_application_platform | 7.2 |
| debian | debian_linux | 9.0 |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| oracle | banking_platform | 2.4.0 |
| oracle | customer_management_and_segmentation_foundation | 18.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | primavera_gateway | 18.8.0 |
| oracle | primavera_gateway | 15.2 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | primavera_gateway | 16.1 |
| oracle | primavera_gateway | 16.2 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | primavera_gateway | * |
| debian | debian_linux | 10.0 |
| netapp | oncommand_workflow_automation | - |
| fedoraproject | fedora | 31 |
| netapp | oncommand_api_services | - |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| fedoraproject | fedora | 30 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | primavera_unifier | 16.1 |
| oracle | banking_platform | 2.9.0 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | database_server | 19c |
| oracle | primavera_gateway | 19.12.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | communications_calendar_server | 8.0.0.2.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 |
| oracle | retail_merchandising_system | 16.0.2 |
| oracle | banking_platform | 2.6.1 |
| oracle | primavera_unifier | 19.12 |
| oracle | retail_merchandising_system | 16.0.3 |
| netapp | active_iq_unified_manager | * |
| oracle | database_server | 18c |
| oracle | communications_calendar_server | 8.0.0.3.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.4.0 |
| oracle | primavera_gateway | * |
| debian | debian_linux | 10.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | primavera_unifier | * |
| fedoraproject | fedora | 31 |
| netapp | oncommand_api_services | - |
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | weblogic_server | 12.2.1.3.0 |
| fasterxml | jackson-databind | * |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.3.0 |
| oracle | siebel_ui_framework | 20.6 |
| oracle | primavera_unifier | 16.2 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | siebel_ui_framework | * |
| oracle | banking_platform | 2.4.0 |
| debian | debian_linux | 8.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | database_server | 12.2.0.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | banking_platform | 2.6.2 |
| oracle | webcenter_sites | 12.2.1.3.0 |
| oracle | webcenter_sites | 12.2.1.4.0 |
| netapp | oncommand_workflow_automation | - |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | trace_file_analyzer | 12.2.0.1 |
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| fedoraproject | fedora | 30 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_platform | 2.9.0 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | primavera_gateway | 19.12.0 |
| redhat | jboss_enterprise_application_platform | 7.2 |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | communications_calendar_server | 8.0.0.2.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 |
| oracle | retail_merchandising_system | 16.0.2 |
| oracle | banking_platform | 2.6.1 |
| oracle | retail_merchandising_system | 16.0.3 |
| netapp | active_iq_unified_manager | * |
| oracle | primavera_gateway | 16.1 |
| oracle | primavera_gateway | 16.2 |
| oracle | communications_calendar_server | 8.0.0.3.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.4.0 |
| oracle | primavera_gateway | * |
| debian | debian_linux | 10.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| fedoraproject | fedora | 31 |
| netapp | oncommand_api_services | - |
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | weblogic_server | 12.2.1.3.0 |
| fasterxml | jackson-databind | * |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.3.0 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | trace_file_analyzer | 19c |
| oracle | banking_platform | 2.4.0 |
| debian | debian_linux | 8.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | trace_file_analyzer | 18c |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | banking_platform | 2.6.0 |
| oracle | banking_platform | 2.5.0 |
| oracle | banking_platform | 2.6.2 |
| oracle | webcenter_sites | 12.2.1.3.0 |
| oracle | webcenter_sites | 12.2.1.4.0 |
| netapp | oncommand_workflow_automation | - |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | weblogic_server | 12.2.1.3.0 |
| netapp | active_iq_unified_manager | * |
| fasterxml | jackson-databind | * |
| netapp | steelstore_cloud_integrated_storage | - |
| redhat | jboss_enterprise_application_platform | 7.2 |
| netapp | service_level_manager | - |
| oracle | retail_customer_management_and_segmentation_foundation | 17.0 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_workflow_automation | - |
| oracle | customer_management_and_segmentation_foundation | * |
| netapp | oncommand_api_services | - |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | trace_file_analyzer | 12.2.0.1 |
| redhat | jboss_enterprise_application_platform | 7.3 |
| oracle | jd_edwards_enterpriseone_tools | 9.2 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| fasterxml | jackson-databind | * |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 |
| oracle | banking_platform | 2.9.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.3.0 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | primavera_gateway | 19.12.0 |
| redhat | jboss_enterprise_application_platform | 7.2 |
| oracle | trace_file_analyzer | 19c |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | banking_platform | 2.4.0 |
| oracle | communications_calendar_server | 8.0.0.2.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | banking_platform | 2.4.1 |
| oracle | banking_platform | 2.7.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 |
| oracle | retail_merchandising_system | 16.0.2 |
| oracle | retail_sales_audit | 14.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | trace_file_analyzer | 18c |
| oracle | banking_platform | 2.6.1 |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | banking_platform | 2.6.0 |
| oracle | retail_merchandising_system | 16.0.3 |
| oracle | banking_platform | 2.5.0 |
| oracle | banking_platform | 2.6.2 |
| oracle | webcenter_sites | 12.2.1.3.0 |
| oracle | webcenter_sites | 12.2.1.4.0 |
| oracle | primavera_gateway | 16.1 |
| oracle | primavera_gateway | 16.2 |
| oracle | communications_calendar_server | 8.0.0.3.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 12.2.1.4.0 |
| oracle | primavera_gateway | * |
| netapp | oncommand_workflow_automation | - |
| oracle | webcenter_portal | 12.2.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | trace_file_analyzer | 12.2.0.1 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 |
| oracle | goldengate_stream_analytics | * |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| netapp | snapcenter | - |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_unifier | 18.8 |
| netapp | service_level_manager | - |
| oracle | trace_file_analyzer | 19c |
| oracle | siebel_ui_framework | * |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | customer_management_and_segmentation_foundation | 18.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_platform | * |
| oracle | retail_merchandising_system | 16.0.2 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | siebel_engineering_-_installer_&_deployment | * |
| oracle | global_lifecycle_management_opatch | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | trace_file_analyzer | 18c |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | retail_merchandising_system | 16.0.3 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| netapp | active_iq_unified_manager | * |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| netapp | oncommand_api_services | - |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 10.0 |
| oracle | retail_merchandising_system | 15.0 |
| fasterxml | jackson-databind | 2.10.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_sales_audit | 14.1 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| netapp | active_iq_unified_manager | * |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_unifier | 18.8 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| netapp | active_iq_unified_manager | * |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| oracle | communications_diameter_signaling_router | * |
| oracle | banking_digital_experience | 19.1 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | agile_plm | 9.3.6 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| oracle | communications_diameter_signaling_router | * |
| oracle | banking_digital_experience | 19.1 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | agile_plm | 9.3.6 |
| debian | debian_linux | 8.0 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| oracle | communications_diameter_signaling_router | * |
| oracle | banking_digital_experience | 19.1 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | agile_plm | 9.3.6 |
| debian | debian_linux | 8.0 |
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| oracle | communications_diameter_signaling_router | * |
| oracle | banking_digital_experience | 19.1 |
| netapp | steelstore_cloud_integrated_storage | - |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | agile_plm | 9.3.6 |
| debian | debian_linux | 8.0 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | communications_calendar_server | 8.0 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_messaging_server | 8.1 |
| debian | debian_linux | 9.0 |
| oracle | identity_manager_connector | 11.1.1.5.0 |
| oracle | siebel_ui_framework | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| netapp | active_iq_unified_manager | - |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | * |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | communications_contacts_server | 8.0 |
| oracle | banking_liquidity_management | 14.3 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | banking_liquidity_management | 14.5 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_liquidity_management | 14.2 |
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_calendar_server | 8.0 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | communications_session_report_manager | * |
| oracle | communications_messaging_server | 8.1 |
| debian | debian_linux | 9.0 |
| oracle | identity_manager_connector | 11.1.1.5.0 |
| oracle | banking_credit_facilities_process_management | 14.3.0 |
| oracle | siebel_ui_framework | * |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | banking_credit_facilities_process_management | 14.2.0 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.5.0 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | * |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | banking_supply_chain_finance | 14.2.0 |
| oracle | banking_supply_chain_finance | 14.3.0 |
| oracle | communications_contacts_server | 8.0 |
| oracle | banking_corporate_lending_process_management | 14.2.0 |
| oracle | banking_corporate_lending_process_management | 14.3.0 |
| oracle | banking_liquidity_management | 14.3 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | siebel_core_-_server_framework | * |
| oracle | communications_policy_management | 12.5.0 |
| oracle | banking_liquidity_management | 14.5 |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_corporate_lending_process_management | 14.5.0 |
| oracle | banking_credit_facilities_process_management | 14.5.0 |
| oracle | banking_liquidity_management | 14.2 |
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | banking_apis | 20.1 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_platform | 2.8.0 |
| oracle | banking_platform | 2.9.0 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| fedoraproject | fedora | 32 |
| oracle | banking_apis | 21.1 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_platform | 2.7.0 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | retail_service_backbone | 16.0.3 |
| oracle | utilities_framework | 4.3.0.5.0 |
| oracle | banking_apis | 19.1 |
| oracle | banking_platform | 2.10.0 |
| oracle | retail_xstore_point_of_service | 20.0.1 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | primavera_gateway | * |
| oracle | utilities_framework | 4.4.0.2.0 |
| oracle | utilities_framework | 4.4.0.3.0 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_interactive_session_recorder | 6.4 |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | insurance_policy_administration | * |
| oracle | sd-wan_edge | 9.0 |
| netapp | oncommand_api_services | - |
| oracle | banking_apis | 19.2 |
| oracle | banking_apis | * |
| fasterxml | jackson-databind | * |
| oracle | agile_product_lifecycle_management_integration_pack | 3.6 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_messaging_server | 8.1 |
| oracle | coherence | 14.1.1.0.0 |
| oracle | communications_interactive_session_recorder | 6.3 |
| netapp | service_level_manager | - |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| quarkus | quarkus | * |
| oracle | health_sciences_empirica_signal | 9.0 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_platform | 2.7.1 |
| oracle | commerce_platform | * |
| apache | iotdb | * |
| oracle | banking_platform | 2.6.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | utilities_framework | 4.4.0.0.0 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | communications_messaging_server | 8.0.2 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | utilities_framework | 4.3.0.6.0 |
| oracle | health_sciences_empirica_signal | 9.1 |
| oracle | agile_plm | 9.3.6 |
| netapp | oncommand_workflow_automation | - |
| oracle | coherence | 12.2.1.4.0 |
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | weblogic_server | 14.1.1.0.0 |
| fasterxml | jackson-dataformats-binary | 2.12.0 |
| quarkus | quarkus | * |
| oracle | weblogic_server | 12.2.1.4.0 |
| fasterxml | jackson-dataformats-binary | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | banking_platform | 2.8.0 |
| oracle | banking_platform | 2.9.0 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| debian | debian_linux | 9.0 |
| oracle | communications_interactive_session_recorder | 6.3 |
| netapp | service_level_manager | - |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | banking_platform | 2.7.0 |
| oracle | documaker | 12.6.3 |
| oracle | blockchain_platform | * |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_platform | 2.10.0 |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | banking_platform | 2.6.2 |
| oracle | documaker | 12.6.4 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | insurance_policy_administration_j2ee | 11.2.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_treasury_management | 14.4 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | communications_interactive_session_recorder | 6.4 |
| oracle | banking_virtual_account_management | 14.5.0 |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | banking_platform | 2.8.0 |
| oracle | banking_platform | 2.9.0 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | insurance_policy_administration_j2ee | 11.0.2 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | banking_platform | 2.7.0 |
| oracle | documaker | 12.6.3 |
| oracle | blockchain_platform | * |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_platform | 2.10.0 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | banking_platform | 2.6.2 |
| oracle | documaker | 12.6.4 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | communications_diameter_signaling_route | - |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_treasury_management | 14.4 |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | communications_diameter_signaling_route | * |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | sd-wan_edge | 9.0 |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | autovue | 21.0.2 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_treasury_management | 14.4 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | communications_session_report_manager | * |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_treasury_management | 14.4 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_supply_chain_finance | 14.5 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_credit_facilities_process_management | 14.3 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | banking_extensibility_workbench | 14.2 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | communications_element_manager | * |
| oracle | documaker | 12.6.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | banking_supply_chain_finance | 14.2 |
| oracle | banking_treasury_management | 4.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| oracle | banking_corporate_lending_process_management | 14.5 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | banking_credit_facilities_process_management | 14.2 |
| oracle | communications_session_route_manager | * |
| oracle | banking_corporate_lending_process_management | 14.3 |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | banking_extensibility_workbench | 14.3 |
| oracle | communications_session_report_manager | * |
| oracle | banking_extensibility_workbench | 14.5 |
| debian | debian_linux | 9.0 |
| netapp | service_level_manager | - |
| oracle | banking_credit_facilities_process_management | 14.5 |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | banking_supply_chain_finance | 14.3 |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | banking_corporate_lending_process_management | 14.2 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | retail_service_backbone | 16.0.3.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_policy_management | 12.5.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | primavera_unifier | 17.2 |
| oracle | communications_diameter_signaling_route | * |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_offline_mediation_controller | 12.0.0.3 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_billing_and_revenue_management | 7.5.0.23.0 |
| oracle | insurance_rules_palette | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | banking_platform | 2.8.0 |
| oracle | banking_platform | 2.9.0 |
| oracle | retail_xstore_point_of_service | 19.0.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | retail_xstore_point_of_service | 18.0.3 |
| oracle | primavera_unifier | 18.8 |
| oracle | commerce_platform | 11.2.0 |
| oracle | webcenter_portal | 12.2.1.3.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_platform | 2.7.0 |
| oracle | documaker | 12.6.3 |
| oracle | banking_virtual_account_management | 14.3.0 |
| oracle | communications_convergent_charging_controller | 12.0.4.0.0 |
| oracle | retail_service_backbone | 16.0.3 |
| oracle | banking_platform | 2.10.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | documaker | 12.6.4 |
| oracle | communications_instant_messaging_server | 10.0.1.5.0 |
| netapp | cloud_backup | - |
| oracle | primavera_gateway | * |
| oracle | webcenter_portal | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | communications_interactive_session_recorder | 6.4 |
| oracle | communications_network_charging_and_control | 12.0.4.0.0 |
| oracle | banking_virtual_account_management | 14.5.0 |
| oracle | primavera_unifier | * |
| oracle | insurance_policy_administration | * |
| oracle | communications_session_route_manager | * |
| fasterxml | jackson-databind | * |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | retail_service_backbone | 14.1.3.2 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | communications_messaging_server | 8.1 |
| debian | debian_linux | 9.0 |
| oracle | communications_interactive_session_recorder | 6.3 |
| netapp | service_level_manager | - |
| oracle | banking_virtual_account_management | 14.2.0 |
| oracle | retail_xstore_point_of_service | 16.0.6 |
| oracle | insurance_policy_administration | 11.0.2 |
| oracle | blockchain_platform | * |
| oracle | goldengate_application_adapters | 19.1.0.0.0 |
| oracle | retail_customer_management_and_segmentation_foundation | * |
| oracle | banking_platform | 2.7.1 |
| oracle | retail_merchandising_system | 15.0.3 |
| oracle | commerce_platform | * |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | banking_platform | 2.6.2 |
| oracle | primavera_gateway | 20.12.0 |
| oracle | insurance_rules_palette | 11.0.2 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_pricing_design_center | 12.0.0.4.0 |
| oracle | communications_messaging_server | 8.0.2 |
| oracle | retail_service_backbone | 15.0.3.1 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.4.0 |
| oracle | retail_xstore_point_of_service | 17.0.4 |
| oracle | agile_plm | 9.3.6 |
| oracle | banking_treasury_management | 14.4 |
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | commerce_platform | 11.3.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.0 |
| oracle | primavera_unifier | 20.12 |
| oracle | financial_services_enterprise_case_management | 8.0.7.2 |
| oracle | health_sciences_empirica_signal | 9.1.0.5.2 |
| oracle | global_lifecycle_management_nextgen_oui_framework | * |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 22.2.0 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 |
| oracle | peoplesoft_enterprise_peopletools | 8.58 |
| oracle | utilities_framework | 4.3.0.5.0 |
| debian | debian_linux | 11.0 |
| netapp | snap_creator_framework | - |
| netapp | active_iq_unified_manager | - |
| oracle | primavera_unifier | 19.12 |
| netapp | oncommand_insight | - |
| oracle | big_data_spatial_and_graph | * |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.1 |
| oracle | financial_services_enterprise_case_management | 8.0.8.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * |
| oracle | primavera_gateway | * |
| oracle | utilities_framework | 4.4.0.2.0 |
| debian | debian_linux | 10.0 |
| oracle | utilities_framework | 4.4.0.3.0 |
| oracle | commerce_platform | 11.3.0 |
| oracle | communications_billing_and_revenue_management | * |
| oracle | primavera_unifier | * |
| oracle | communications_cloud_native_core_console | 1.9.0 |
| oracle | financial_services_enterprise_case_management | * |
| oracle | communications_cloud_native_core_service_communication_proxy | 22.2.0 |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.7 |
| oracle | sd-wan_edge | 9.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | financial_services_behavior_detection_platform | * |
| oracle | financial_services_enterprise_case_management | 8.0.8.1 |
| oracle | sd-wan_edge | 9.1 |
| oracle | weblogic_server | 14.1.1.0.0 |
| oracle | primavera_unifier | 21.12 |
| fasterxml | jackson-databind | * |
| oracle | retail_sales_audit | 15.0.3.1 |
| oracle | spatial_studio | * |
| oracle | communications_cloud_native_core_network_repository_function | 22.1.2 |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.1.0 |
| debian | debian_linux | 9.0 |
| oracle | coherence | 14.1.1.0.0 |
| netapp | cloud_insights_acquisition_unit | - |
| oracle | commerce_platform | 11.3.1 |
| oracle | financial_services_behavior_detection_platform | 8.0.7.0.0 |
| oracle | primavera_unifier | 18.0 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.0 |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.1 |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.8 |
| oracle | communications_cloud_native_core_network_repository_function | 22.2.0 |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 |
| oracle | financial_services_behavior_detection_platform | 8.0.8 |
| oracle | utilities_framework | 4.4.0.0.0 |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 22.1.1 |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 |
| oracle | utilities_framework | 4.3.0.6.0 |
| oracle | peoplesoft_enterprise_peopletools | 8.59 |
| netapp | oncommand_workflow_automation | - |
| oracle | financial_services_enterprise_case_management | 8.0.7.1 |
| oracle | utilities_framework | 4.4.0.5.0 |
| oracle | communications_cloud_native_core_binding_support_function | 22.1.3 |
| oracle | graph_server_and_client | * |
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| huawei | oceanstor_9000_firmware | v300r006c20spc200 |
| netapp | service_level_manager | - |
| huawei | oceanstor_9000_firmware | v300r006c20 |
| debian | debian_linux | 8.0 |
| netapp | oncommand_workflow_automation | - |
| fasterxml | jackson-databind | * |
| huawei | oceanstor_9000_firmware | v300r006c20spc100 |
| huawei | oceanstor_9000_firmware | v300r006c20spc300 |
| netapp | steelstore_cloud_integrated_storage | - |
| netapp | oncommand_api_services | - |
| oracle | global_lifecycle_management_opatch | * |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| oracle | financial_services_institutional_performance_analytics | 8.0.6 |
| oracle | financial_services_price_creation_and_discovery | 8.0.7 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | financial_services_institutional_performance_analytics | 8.1.0 |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | insurance_policy_administration_j2ee | 11.1.0.15 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | financial_services_price_creation_and_discovery | 8.0.6 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | financial_services_retail_customer_analytics | 8.0.6 |
| oracle | insurance_policy_administration_j2ee | 11.0.2.25 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_session_route_manager | * |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | financial_services_institutional_performance_analytics | 8.0.7 |
| oracle | retail_xstore_point_of_service | 16.0 |
| fasterxml | jackson-databind | * |
| oracle | retail_service_backbone | 16.0 |
| oracle | banking_digital_experience | 18.2 |
| oracle | retail_service_backbone | 15.0 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| oracle | financial_services_institutional_performance_analytics | 8.7.0 |
| debian | debian_linux | 8.0 |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | financial_services_analytical_applications_infrastructure | * |
| oracle | retail_service_backbone | 14.1 |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | primavera_unifier | 16.2 |
| oracle | primavera_unifier | 18.8 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | banking_platform | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| netapp | active_iq_unified_manager | * |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_session_route_manager | * |
| oracle | banking_digital_experience | 19.2 |
| oracle | communications_calendar_server | 8.0.0.4.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | banking_digital_experience | 18.3 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | communications_network_charging_and_control | * |
| oracle | primavera_unifier | 16.1 |
| fasterxml | jackson-databind | * |
| oracle | banking_digital_experience | 18.2 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | primavera_unifier | 16.2 |
| oracle | communications_session_report_manager | * |
| oracle | primavera_unifier | 18.8 |
| oracle | communications_contacts_server | 8.0.0.5.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| debian | debian_linux | 8.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | retail_merchandising_system | 15.0 |
| oracle | banking_platform | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | retail_sales_audit | 14.1 |
| oracle | global_lifecycle_management_opatch | * |
| oracle | communications_contacts_server | 8.0.0.4.0 |
| oracle | primavera_unifier | 19.12 |
| oracle | communications_network_charging_and_control | 6.0.1 |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | * |
| netapp | active_iq_unified_manager | * |
| oracle | banking_digital_experience | 18.1 |
| oracle | enterprise_manager_base_platform | 13.3.0.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | banking_digital_experience | 19.1 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | retail_xstore_point_of_service | 19.0 |
| oracle | agile_plm | 9.3.6 |
| oracle | jd_edwards_enterpriseone_tools | * |
| oracle | primavera_unifier | * |
| oracle | communications_instant_messaging_server | 10.0.1.4.0 |
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apache | nifi | * |
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 9.0 |
| netapp | oncommand_insight | - |
| netapp | service_level_manager | - |
| fasterxml | jackson-databind | * |
| netapp | oncommand_api_services | - |
| oracle | commerce_guided_search_and_experience_manager | 11.3.2 |
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xstream_project | xstream | * |
| fasterxml | woodstox | * |
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 11.0 |
| debian | debian_linux | 10.0 |
| netapp | oncommand_workflow_automation | - |
| quarkus | quarkus | * |
| fasterxml | jackson-databind | * |
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 11.0 |
| debian | debian_linux | 10.0 |
| netapp | oncommand_workflow_automation | - |
| quarkus | quarkus | * |
| fasterxml | jackson-databind | * |
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-databind | * |
Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve-coordination@google.com | 5.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-dataformats-text | * |
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-core | * |