CVE-2020-10673 (Medium) detected in jackson-databind-2.9.10.3.jar

Question

CVE-2020-10673 (Medium) detected in jackson-databind-2.9.10.3.jar

mend-for-github-com opened this issue 5 years ago · 0 comments

mend-for-github-com commented 5 years ago

CVE-2020-10673 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/jmx2graphite/pom.xml

Path to vulnerable library: downloadResource_13441175-5a70-46fd-9bd1-16f58b00e3c3/20200310104446/jackson-databind-2.9.10.3.jar

Dependency Hierarchy:

❌ jackson-databind-2.9.10.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Publish Date: 2020-03-18

URL: CVE-2020-10673

CVSS 3 Score Details (5.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS3 Scores, click here.