Lucene search

RedhatCVE-2021-20190

HistoryJan 19, 2021 - 5:15 p.m.

CVE-2021-20190

2021-01-1917:15:13

CWE-502

redhat

web.nvd.nist.gov

210

cve-2021-20190

jackson-databind

fastxml

serialization

typing

data confidentiality

data integrity

system availability

nvd

CVSS2

8.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:P/I:P/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.004

Percentile

74.6%

JSON

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected configurations

Nvd

Vulners

Node

fasterxmljackson-databindRange<2.6.7.5

fasterxmljackson-databindRange2.7.0–2.9.10.7

Node

netappactive_iq_unified_managerMatch-linux

netappactive_iq_unified_managerMatch-windows

netapponcommand_api_servicesMatch-

netapponcommand_insightMatch-

netappservice_level_managerMatch-

Node

apachenifiRange1.7.0–1.12.1

Node

debiandebian_linuxMatch9.0

Node

oraclecommerce_guided_search_and_experience_managerMatch11.3.2

VendorProductVersionCPE
fasterxmljackson-databind*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
netapponcommand_api_services-cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
netapponcommand_insight-cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netappservice_level_manager-cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
apachenifi*cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
oraclecommerce_guided_search_and_experience_manager11.3.2cpe:2.3:a:oracle:commerce_guided_search_and_experience_manager:11.3.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fasterxml	jackson-databind	*	cpe:2.3:a:fasterxml:jackson-databind::::::::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
netapp	oncommand_api_services	-	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
netapp	oncommand_insight	-	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	service_level_manager	-	cpe:2.3:a:netapp:service_level_manager:-:::::::*
apache	nifi	*	cpe:2.3:a:apache:nifi::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
oracle	commerce_guided_search_and_experience_manager	11.3.2	cpe:2.3:a:oracle:commerce_guided_search_and_experience_manager:11.3.2:::::::*

CNA Affected

[
  {
    "product": "jackson-databind",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "jackson-databind 2.9.10.7"
      }
    ]
  }
]