Red Hat Software Collections update for rh-maven35-jackson-databind
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-24750 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
rh-maven35-jackson-databind (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Deserialization of Untrusted Data
EUVDB-ID: #VU47105
Risk: High
CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-24750
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. A remote attacker can execute arbitrary code on the target system.
Install updates from vendor's website.
rh-maven35-jackson-databind (Red Hat package): 2.7.6-2.4.el7 - 2.7.6-2.10.el7
CPE2.3- cpe:2.3:a:red_hat:rh-maven35-jackson-databind_redhat_package:2.7.6-2.4.el7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:rh-maven35-jackson-databind_redhat_package:2.7.6-2.5.el7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:rh-maven35-jackson-databind_redhat_package:2.7.6-2.6.el7:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2020:4173
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
