CVE-2020-25649 – com.fasterxml.jackson.core:jackson-databind

Package

Manager: maven
Name: com.fasterxml.jackson.core:jackson-databind
Vulnerable Version: >=2.6.0 <2.6.7.4 || >=2.7.0.0 <2.9.10.7 || >=2.10.0.0 <2.10.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00011 pctl0.01086

Details

XML External Entity (XXE) Injection in Jackson Databind A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Metadata

Created: 2021-02-18T20:51:54Z
Modified: 2024-03-15T00:30:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-288c-cq4h-88gq
Finding: F083
Auto approve: 1