Vulnerabilidad en la interacción entre los dispositivos de serialización y la escritura en FasterXML jackson-databind (CVE-2020-35728)
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-502
Deserialización de datos no confiables
Fecha de publicación:
27/12/2020
Última modificación:
27/08/2025
Descripción
FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (también se conoce como Xalan incorporado en org.glassfish.web/javax.servlet.jsp.jstl)
Impacto
Puntuación base 3.x
8.10
Gravedad 3.x
ALTA
Puntuación base 2.0
6.80
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.9.0 (incluyendo) | 2.9.10.8 (excluyendo) |
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:autovue:21.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_extensibility_workbench:14.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_extensibility_workbench:14.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_extensibility_workbench:14.5:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/FasterXML/jackson-databind/issues/2999
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20210129-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/FasterXML/jackson-databind/issues/2999
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://security.netapp.com/advisory/ntap-20210129-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html