CVE-2020-14061 (High) detected in multiple libraries - autoclosed #86

mend-for-github-com · 2021-05-20T20:05:43Z

CVE-2020-14061 - High Severity Vulnerability

Vulnerable Libraries - jackson-databind-2.9.5.jar, jackson-databind-2.8.10.jar, jackson-databind-2.9.8.jar, jackson-databind-2.9.6.jar

jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-validate-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

tika-parsers-1.18.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

jackson-databind-2.8.10.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-fbi-service/pom.xml

Path to vulnerable library: /tools/nibrs-fbi-service/target/nibrs-fbi-service-1.0.0/WEB-INF/lib/jackson-databind-2.8.10.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar

Dependency Hierarchy:

❌ jackson-databind-2.8.10.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tools/nibrs-summary-report-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

spring-boot-starter-web-2.1.5.RELEASE.jar (Root Library)
- spring-boot-starter-json-2.1.5.RELEASE.jar
  - ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.6.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /web/nibrs-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/web/nibrs-web/target/nibrs-web/WEB-INF/lib/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar

Dependency Hierarchy:

❌ jackson-databind-2.9.6.jar (Vulnerable Library)

Found in HEAD commit: e33ecd45d71662f63121c238ca1c416a6631a650

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

Publish Date: 2020-06-14

URL: CVE-2020-14061

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061

Release Date: 2020-06-14

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.23

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label May 20, 2021

mend-for-github-com bot mentioned this issue Apr 18, 2022

Update dependency org.apache.tika:tika-parsers to v1.21 - abandoned #211

Open

1 task

mend-for-github-com bot changed the title ~~CVE-2020-14061 (High) detected in multiple libraries~~ CVE-2020-14061 (High) detected in multiple libraries - autoclosed May 6, 2024

mend-for-github-com bot closed this as completed May 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-14061 (High) detected in multiple libraries - autoclosed #86

CVE-2020-14061 (High) detected in multiple libraries - autoclosed #86

mend-for-github-com bot commented May 20, 2021 •

edited

Loading

CVE-2020-14061 (High) detected in multiple libraries - autoclosed #86

CVE-2020-14061 (High) detected in multiple libraries - autoclosed #86

Comments

mend-for-github-com bot commented May 20, 2021 • edited Loading

CVE-2020-14061 - High Severity Vulnerability

mend-for-github-com bot commented May 20, 2021 •

edited

Loading