CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Published: Dec 3, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-25649
GHSA: GHSA-288c-cq4h-88gq
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
fasterxml / jackson-databind	2.10.0	2.10.5.1
fasterxml / jackson-databind	2.9.0	2.9.10.7
fasterxml / jackson-databind	2.6.0	2.6.7.4
fedoraproject / fedora	32	32.x
quarkus / quarkus	-	1.6.1.x
apache / iotdb	-	0.12.0
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / banking_platform	2.6.2	2.6.2.x
oracle / utilities_framework	4.3.0.5.0	4.3.0.5.0.x
oracle / utilities_framework	4.3.0.6.0	4.3.0.6.0.x
oracle / utilities_framework	4.4.0.0.0	4.4.0.0.0.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / coherence	12.2.1.4.0	12.2.1.4.0.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / sd-wan_edge	9.0	9.0.x
oracle / coherence	14.1.1.0.0	14.1.1.0.0.x
oracle / utilities_framework	4.4.0.2.0	4.4.0.2.0.x
oracle / communications_billing_and_revenue_management	12.0.0.3.0	12.0.0.3.0.x
oracle / communications_billing_and_revenue_management	7.5.0.23.0	7.5.0.23.0.x
oracle / communications_services_gatekeeper	7.0	7.0.x
oracle / banking_platform	2.7.0	2.7.0.x
oracle / banking_platform	2.7.1	2.7.1.x
oracle / banking_platform	2.9.0	2.9.0.x
oracle / communications_evolved_communications_application_server	7.1	7.1.x
oracle / goldengate_application_adapters	19.1.0.0.0	19.1.0.0.0.x
oracle / retail_service_backbone	16.0.3	16.0.3.x
oracle / banking_platform	2.8.0	2.8.0.x
oracle / primavera_gateway	17.7	17.12.x
oracle / insurance_rules_palette	11.0.2	11.0.2.x
oracle / communications_interactive_session_recorder	6.3	6.3.x
oracle / communications_interactive_session_recorder	6.4	6.4.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / communications_messaging_server	8.0.2	8.0.2.x
oracle / commerce_platform	11.3.0	11.3.2.x
oracle / commerce_platform	11.2.0	11.2.0.x
oracle / communications_unified_inventory_management	7.4.1	7.4.1.x
oracle / retail_xstore_point_of_service	16.0.6	16.0.6.x
oracle / retail_xstore_point_of_service	17.0.4	17.0.4.x
oracle / retail_xstore_point_of_service	18.0.3	18.0.3.x
oracle / retail_xstore_point_of_service	19.0.2	19.0.2.x
oracle / retail_xstore_point_of_service	20.0.1	20.0.1.x
oracle / health_sciences_empirica_signal	9.0	9.0.x
oracle / banking_platform	2.10.0	2.10.0.x
oracle / retail_service_backbone	15.0.3.1	15.0.3.1.x
oracle / retail_service_backbone	14.1.3.2	14.1.3.2.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.5.3
oracle / jd_edwards_enterpriseone_orchestrator	-	9.2.5.3
oracle / insurance_rules_palette	11.1.0	11.3.0.x
oracle / insurance_policy_administration	11.1.0	11.3.0.x
oracle / insurance_policy_administration	11.0.2	11.0.2.x
oracle / banking_treasury_management	4.4	4.4.x
oracle / primavera_gateway	20.12.0	20.12.0.x
oracle / primavera_gateway	19.12.0	19.12.10.x
oracle / primavera_gateway	18.8.0	18.8.11.x
oracle / primavera_gateway	17.12.0	17.12.11.x
oracle / communications_cloud_native_core_unified_data_repository	1.4.0	1.4.0.x
oracle / communications_network_charging_and_control	12.0.4.0.0	12.0.4.0.0.x
oracle / communications_convergent_charging_controller	12.0.4.0.0	12.0.4.0.0.x
oracle / utilities_framework	4.4.0.3.0	4.4.0.3.0.x
oracle / health_sciences_empirica_signal	9.1	9.1.x
oracle / agile_product_lifecycle_management_integration_pack	3.6	3.6.x
oracle / communications_pricing_design_center	12.0.0.4.0	12.0.0.4.0.x
oracle / banking_apis	18.1	18.3.x
oracle / banking_apis	19.1	19.1.x
oracle / banking_apis	19.2	19.2.x
oracle / banking_apis	20.1	20.1.x
oracle / banking_apis	21.1	21.1.x
oracle / communications_instant_messaging_server	10.0.1.5.0	10.0.1.5.0.x
oracle / communications_offline_mediation_controller	12.0.0.3	12.0.0.3.x
oracle / blockchain_platform	-	21.1.2
com.fasterxml.jackson.core / jackson-databind	-	2.6.7.4
com.fasterxml.jackson.core / jackson-databind	2.7.0.0	2.9.10.7
com.fasterxml.jackson.core / jackson-databind	2.10.0.0	2.10.5.1

Vulnerability Database

289,599

CVE-2020-25649